xworm | e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Resubmissions

02/05/2024, 02:59

240502-dg26eshb97 10

02/05/2024, 02:36

240502-c3k9csef7t 10

Analysis

max time kernel
299s
max time network
300s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm bootkit persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral17/memory/2856-1-0x0000000000A00000-0x0000000000A16000-memory.dmp	family_xworm
behavioral17/files/0x000d00000001232e-8.dat	family_xworm
behavioral17/memory/2540-10-0x0000000000820000-0x0000000000836000-memory.dmp	family_xworm
behavioral17/memory/1072-14-0x00000000011A0000-0x00000000011B6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Executes dropped EXE 19 IoCs

pid	Process
2540	uwumonster.exe
1072	uwumonster.exe
488	uwumonster.exe
2168	uwumonster.exe
1728	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2004	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
1936	lxipwh.exe
2316	uwumonster.exe
2580	nvdxqz.exe
2516	nvdxqz.exe
2756	nvdxqz.exe
2644	nvdxqz.exe
1200	nvdxqz.exe
3036	nvdxqz.exe
292	nvdxqz.exe

Loads dropped DLL 14 IoCs

pid	Process
1728	lxipwh.exe
1728	lxipwh.exe
1728	lxipwh.exe
1728	lxipwh.exe
1728	lxipwh.exe
1728	lxipwh.exe
1728	lxipwh.exe
2580	nvdxqz.exe
2580	nvdxqz.exe
2580	nvdxqz.exe
2580	nvdxqz.exe
2580	nvdxqz.exe
2580	nvdxqz.exe
2580	nvdxqz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lxipwh.exe
File opened for modification	\??\PhysicalDrive0	nvdxqz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2348	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3D268C1-0830-11EF-873B-52ADCDCA366E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	lxipwh.exe
2008	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2004	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2392	lxipwh.exe
2004	lxipwh.exe
2560	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2392	lxipwh.exe
2004	lxipwh.exe
2560	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2392	lxipwh.exe
2004	lxipwh.exe
2004	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
2392	lxipwh.exe
2004	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2004	lxipwh.exe
2560	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2004	lxipwh.exe
2392	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
2004	lxipwh.exe
2392	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe
2560	lxipwh.exe
2004	lxipwh.exe
2392	lxipwh.exe
2392	lxipwh.exe
2536	lxipwh.exe
2008	lxipwh.exe
2004	lxipwh.exe
2560	lxipwh.exe
2392	lxipwh.exe
2536	lxipwh.exe
2008	lxipwh.exe
2004	lxipwh.exe
2560	lxipwh.exe
2560	lxipwh.exe
2004	lxipwh.exe
2008	lxipwh.exe
2536	lxipwh.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2540	uwumonster.exe
Token: SeDebugPrivilege	1072	uwumonster.exe
Token: SeDebugPrivilege	488	uwumonster.exe
Token: SeDebugPrivilege	2168	uwumonster.exe
Token: SeDebugPrivilege	2316	uwumonster.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2728	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2728	iexplore.exe
2728	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2348	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2856 wrote to memory of 2348	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2856 wrote to memory of 2348	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2208 wrote to memory of 2540	2208	taskeng.exe	32
PID 2208 wrote to memory of 2540	2208	taskeng.exe	32
PID 2208 wrote to memory of 2540	2208	taskeng.exe	32
PID 2208 wrote to memory of 1072	2208	taskeng.exe	35
PID 2208 wrote to memory of 1072	2208	taskeng.exe	35
PID 2208 wrote to memory of 1072	2208	taskeng.exe	35
PID 2208 wrote to memory of 488	2208	taskeng.exe	36
PID 2208 wrote to memory of 488	2208	taskeng.exe	36
PID 2208 wrote to memory of 488	2208	taskeng.exe	36
PID 2208 wrote to memory of 2168	2208	taskeng.exe	37
PID 2208 wrote to memory of 2168	2208	taskeng.exe	37
PID 2208 wrote to memory of 2168	2208	taskeng.exe	37
PID 2856 wrote to memory of 1728	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2856 wrote to memory of 1728	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2856 wrote to memory of 1728	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2856 wrote to memory of 1728	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 1728 wrote to memory of 2392	1728	lxipwh.exe	39
PID 1728 wrote to memory of 2392	1728	lxipwh.exe	39
PID 1728 wrote to memory of 2392	1728	lxipwh.exe	39
PID 1728 wrote to memory of 2392	1728	lxipwh.exe	39
PID 1728 wrote to memory of 2008	1728	lxipwh.exe	40
PID 1728 wrote to memory of 2008	1728	lxipwh.exe	40
PID 1728 wrote to memory of 2008	1728	lxipwh.exe	40
PID 1728 wrote to memory of 2008	1728	lxipwh.exe	40
PID 1728 wrote to memory of 2004	1728	lxipwh.exe	41
PID 1728 wrote to memory of 2004	1728	lxipwh.exe	41
PID 1728 wrote to memory of 2004	1728	lxipwh.exe	41
PID 1728 wrote to memory of 2004	1728	lxipwh.exe	41
PID 1728 wrote to memory of 2536	1728	lxipwh.exe	42
PID 1728 wrote to memory of 2536	1728	lxipwh.exe	42
PID 1728 wrote to memory of 2536	1728	lxipwh.exe	42
PID 1728 wrote to memory of 2536	1728	lxipwh.exe	42
PID 1728 wrote to memory of 2560	1728	lxipwh.exe	43
PID 1728 wrote to memory of 2560	1728	lxipwh.exe	43
PID 1728 wrote to memory of 2560	1728	lxipwh.exe	43
PID 1728 wrote to memory of 2560	1728	lxipwh.exe	43
PID 1728 wrote to memory of 1936	1728	lxipwh.exe	44
PID 1728 wrote to memory of 1936	1728	lxipwh.exe	44
PID 1728 wrote to memory of 1936	1728	lxipwh.exe	44
PID 1728 wrote to memory of 1936	1728	lxipwh.exe	44
PID 1936 wrote to memory of 2292	1936	lxipwh.exe	45
PID 1936 wrote to memory of 2292	1936	lxipwh.exe	45
PID 1936 wrote to memory of 2292	1936	lxipwh.exe	45
PID 1936 wrote to memory of 2292	1936	lxipwh.exe	45
PID 2208 wrote to memory of 2316	2208	taskeng.exe	46
PID 2208 wrote to memory of 2316	2208	taskeng.exe	46
PID 2208 wrote to memory of 2316	2208	taskeng.exe	46
PID 2856 wrote to memory of 2580	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2856 wrote to memory of 2580	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2856 wrote to memory of 2580	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2856 wrote to memory of 2580	2856	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2580 wrote to memory of 2516	2580	nvdxqz.exe	48
PID 2580 wrote to memory of 2516	2580	nvdxqz.exe	48
PID 2580 wrote to memory of 2516	2580	nvdxqz.exe	48
PID 2580 wrote to memory of 2516	2580	nvdxqz.exe	48
PID 2580 wrote to memory of 2756	2580	nvdxqz.exe	49
PID 2580 wrote to memory of 2756	2580	nvdxqz.exe	49
PID 2580 wrote to memory of 2756	2580	nvdxqz.exe	49
PID 2580 wrote to memory of 2756	2580	nvdxqz.exe	49
PID 2580 wrote to memory of 2644	2580	nvdxqz.exe	50
PID 2580 wrote to memory of 2644	2580	nvdxqz.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
  "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\lxipwh.exe
    "C:\Users\Admin\AppData\Local\Temp\lxipwh.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+get+money
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2728
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2652
- C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
  "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe
    "C:\Users\Admin\AppData\Local\Temp\nvdxqz.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:292
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:3068

C:\Windows\system32\taskeng.exe
taskeng.exe {6CAEF571-FE87-442C-887F-508A73D14E87} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:488
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68e4d47f7c9bf38e1bd0c9cb331232fa

SHA1
c2464b095699852be60a04f113c68411b6df0ad5

SHA256
0782e4a5b91efe302c5d9c2268bbf0175e345ebb313331ea2b6dc1c948212079

SHA512
2569100ecaf38f9bd7f5958fab278d2f0a1cf1353d35fc722bea6efca1576b7701254dba480e75d7406b2bcddd681464d8d3d9ee2443cbed14ed0ceed7da1a24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b110b57e233e91dadc2811b4a9b9660

SHA1
872a41533d687791f0ff5e1cc2db4f02ef4e08b5

SHA256
25b9c8010d9b9958b265d8e7b71caf13a6560fbc4e18fdbd242bc34c26075386

SHA512
acbdbb26487a7ef42f611bef4fa44af6e30b300c6d46407848c55ecbf3f0a89c6c4a721cace0c7caeb501edf7bae8a00e6ad0c64c1fd500862262c5347daf0e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e420238ffbf2d6fd3b560dc0ab48420

SHA1
6edaa3dee823825ea352a2881db193f525e95435

SHA256
320302eaa060cbb3ed19cda926f3b42f963ed0ab4e8d27c36896f2b3f3e03547

SHA512
42e4825cd8de6a55ba54d33933644dbef6a475a4cb251a3dce3033fe3e1548887f184ddfc8072719e5104f7008caaa766bb62c3ce1a896e72fccd7ee176a3a17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e26ea495f555293094de36000bf39868

SHA1
179feae72f5d2eb78b670d63b34457ecd32c3fa3

SHA256
53cea4b6ab5f9f4fad4d79025acef643beb770b01c2246d7af61353e41817fa5

SHA512
4129a9c00c4bfbfdd3154a2c1a11723372e44c5580c89e5c1e4e8d3047802b3bfb1b070f8901226f3e15498fb1394dfe0c5ab5e02f6da5551ab4ae79e75bef0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

Filesize
5KB

MD5
3f3861ed6a387c89d0d312ceb223413e

SHA1
49c465a14fed5256023dc835b34266c603292cab

SHA256
3e6e2ca81db10d5aac4aef7c8d480d21673f35e41538880eb69f4b96c1ca1138

SHA512
6900e002c8d52b456e2234dd48ac536fc13bd52ca3b480611f4ef77097bd7352c023789aad8ed21a3559da622a185a9f73317fa875006d6a4589655f3c00c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\styles__ltr[1].css

Filesize
55KB

MD5
2c00b9f417b688224937053cd0c284a5

SHA1
17b4c18ebc129055dd25f214c3f11e03e9df2d82

SHA256
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

SHA512
8dc644d4c8e6da600c751975ac4a9e620e26179167a4021ddb1da81b452ecf420e459dd1c23d1f2e177685b4e1006dbc5c8736024c447d0ff65f75838a785f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\recaptcha__en[1].js

Filesize
505KB

MD5
e2e79d6b927169d9e0e57e3baecc0993

SHA1
1299473950b2999ba0b7f39bd5e4a60eafd1819d

SHA256
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

SHA512
d6a2ed7b19e54d1447ee9bbc684af7101b48086945a938a5f9b6ae74ace30b9a98ca83d3183814dd3cc40f251ab6433dc7f8b425f313ea9557b83e1c2e035dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA843.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA845.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA992.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxipwh.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1072-14-0x00000000011A0000-0x00000000011B6000-memory.dmp

Filesize
88KB

Download
memory/2540-10-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2856-11-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/2856-6-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-1-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download