Overview

overview

10

Static

static

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y... -.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of y...py.exe

windows10-1703-x64

10

a ton of ya/ya.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    1798s
  • max time network
    1798s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-05-2024 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

  • Size

    63KB

  • MD5

    222c2d239f4c8a1d73c736c9cc712807

  • SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

  • SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

  • SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

  • SSDEEP

    1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    uwumonster.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 30 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    "C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3452
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4444
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4728
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1608
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2340
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:652
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4972
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:828
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:696
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1048
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1708
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2972
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2340
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:96
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3760
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3556
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2564
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3316
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3880
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:820
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4968
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1732
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4776
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3668
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:832
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1900
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3804
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1592
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4488
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1588
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
    Filesize

    654B

    MD5

    16c5fce5f7230eea11598ec11ed42862

    SHA1

    75392d4824706090f5e8907eee1059349c927600

    SHA256

    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

    SHA512

    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

    Download Submit

  • C:\Users\Admin\AppData\Local\uwumonster.exe
    Filesize

    63KB

    MD5

    222c2d239f4c8a1d73c736c9cc712807

    SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

    SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

    SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

    Download Submit

  • memory/1768-0-0x00007FFFE5A23000-0x00007FFFE5A24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-1-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1768-6-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1768-7-0x00007FFFE5A23000-0x00007FFFE5A24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-8-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4444-11-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4444-13-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

    Filesize

    9.9MB

    Download