xworm | e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Resubmissions

02/05/2024, 02:59

240502-dg26eshb97 10

02/05/2024, 02:36

240502-c3k9csef7t 10

Analysis

max time kernel
295s
max time network
300s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm bootkit persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral29/memory/2312-1-0x00000000009A0000-0x00000000009B6000-memory.dmp	family_xworm
behavioral29/files/0x000c000000015cbd-9.dat	family_xworm
behavioral29/memory/2948-11-0x0000000000F30000-0x0000000000F46000-memory.dmp	family_xworm
behavioral29/memory/1500-15-0x00000000001B0000-0x00000000001C6000-memory.dmp	family_xworm
behavioral29/memory/2796-17-0x0000000000AD0000-0x0000000000AE6000-memory.dmp	family_xworm
behavioral29/memory/1596-19-0x00000000000B0000-0x00000000000C6000-memory.dmp	family_xworm
behavioral29/memory/2632-45-0x0000000000190000-0x00000000001A6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Executes dropped EXE 19 IoCs

pid	Process
2948	uwumonster.exe
1500	uwumonster.exe
2796	uwumonster.exe
1596	uwumonster.exe
1672	xfsfwi.exe
2512	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2592	xfsfwi.exe
2560	xfsfwi.exe
2684	xfsfwi.exe
2632	uwumonster.exe
2892	imxdha.exe
2888	imxdha.exe
2920	imxdha.exe
1624	imxdha.exe
1724	imxdha.exe
300	imxdha.exe
2776	imxdha.exe

Loads dropped DLL 14 IoCs

pid	Process
1672	xfsfwi.exe
1672	xfsfwi.exe
1672	xfsfwi.exe
1672	xfsfwi.exe
1672	xfsfwi.exe
1672	xfsfwi.exe
1672	xfsfwi.exe
2892	imxdha.exe
2892	imxdha.exe
2892	imxdha.exe
2892	imxdha.exe
2892	imxdha.exe
2892	imxdha.exe
2892	imxdha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	xfsfwi.exe
File opened for modification	\??\PhysicalDrive0	imxdha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2984	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2A15B01-0830-11EF-B0F7-6EC840ECE01E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	xfsfwi.exe
2512	xfsfwi.exe
2512	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2592	xfsfwi.exe
2560	xfsfwi.exe
2512	xfsfwi.exe
2560	xfsfwi.exe
1916	xfsfwi.exe
2512	xfsfwi.exe
2592	xfsfwi.exe
2608	xfsfwi.exe
2592	xfsfwi.exe
2560	xfsfwi.exe
1916	xfsfwi.exe
2608	xfsfwi.exe
2512	xfsfwi.exe
2560	xfsfwi.exe
2592	xfsfwi.exe
1916	xfsfwi.exe
2608	xfsfwi.exe
2512	xfsfwi.exe
2592	xfsfwi.exe
2608	xfsfwi.exe
2560	xfsfwi.exe
1916	xfsfwi.exe
2512	xfsfwi.exe
1916	xfsfwi.exe
2512	xfsfwi.exe
2592	xfsfwi.exe
2560	xfsfwi.exe
2608	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2592	xfsfwi.exe
2512	xfsfwi.exe
2560	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2592	xfsfwi.exe
2512	xfsfwi.exe
2560	xfsfwi.exe
2608	xfsfwi.exe
2512	xfsfwi.exe
2592	xfsfwi.exe
1916	xfsfwi.exe
2560	xfsfwi.exe
2608	xfsfwi.exe
2560	xfsfwi.exe
2592	xfsfwi.exe
2512	xfsfwi.exe
1916	xfsfwi.exe
1916	xfsfwi.exe
2560	xfsfwi.exe
2608	xfsfwi.exe
2512	xfsfwi.exe
2592	xfsfwi.exe
2608	xfsfwi.exe
1916	xfsfwi.exe
2592	xfsfwi.exe
2560	xfsfwi.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2948	uwumonster.exe
Token: SeDebugPrivilege	1500	uwumonster.exe
Token: SeDebugPrivilege	2796	uwumonster.exe
Token: SeDebugPrivilege	1596	uwumonster.exe
Token: SeDebugPrivilege	2632	uwumonster.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2504	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2504	iexplore.exe
2504	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2984	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2312 wrote to memory of 2984	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2312 wrote to memory of 2984	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2436 wrote to memory of 2948	2436	taskeng.exe	32
PID 2436 wrote to memory of 2948	2436	taskeng.exe	32
PID 2436 wrote to memory of 2948	2436	taskeng.exe	32
PID 2436 wrote to memory of 1500	2436	taskeng.exe	35
PID 2436 wrote to memory of 1500	2436	taskeng.exe	35
PID 2436 wrote to memory of 1500	2436	taskeng.exe	35
PID 2436 wrote to memory of 2796	2436	taskeng.exe	36
PID 2436 wrote to memory of 2796	2436	taskeng.exe	36
PID 2436 wrote to memory of 2796	2436	taskeng.exe	36
PID 2436 wrote to memory of 1596	2436	taskeng.exe	37
PID 2436 wrote to memory of 1596	2436	taskeng.exe	37
PID 2436 wrote to memory of 1596	2436	taskeng.exe	37
PID 2312 wrote to memory of 1672	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2312 wrote to memory of 1672	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2312 wrote to memory of 1672	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2312 wrote to memory of 1672	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	38
PID 2684 wrote to memory of 2416	2684	xfsfwi.exe	45
PID 2684 wrote to memory of 2416	2684	xfsfwi.exe	45
PID 2684 wrote to memory of 2416	2684	xfsfwi.exe	45
PID 2684 wrote to memory of 2416	2684	xfsfwi.exe	45
PID 2436 wrote to memory of 2632	2436	taskeng.exe	46
PID 2436 wrote to memory of 2632	2436	taskeng.exe	46
PID 2436 wrote to memory of 2632	2436	taskeng.exe	46
PID 2312 wrote to memory of 2892	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2312 wrote to memory of 2892	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2312 wrote to memory of 2892	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2312 wrote to memory of 2892	2312	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	47
PID 2892 wrote to memory of 2888	2892	imxdha.exe	48
PID 2892 wrote to memory of 2888	2892	imxdha.exe	48
PID 2892 wrote to memory of 2888	2892	imxdha.exe	48
PID 2892 wrote to memory of 2888	2892	imxdha.exe	48
PID 2892 wrote to memory of 2920	2892	imxdha.exe	49
PID 2892 wrote to memory of 2920	2892	imxdha.exe	49
PID 2892 wrote to memory of 2920	2892	imxdha.exe	49
PID 2892 wrote to memory of 2920	2892	imxdha.exe	49
PID 2892 wrote to memory of 1624	2892	imxdha.exe	50
PID 2892 wrote to memory of 1624	2892	imxdha.exe	50
PID 2892 wrote to memory of 1624	2892	imxdha.exe	50
PID 2892 wrote to memory of 1624	2892	imxdha.exe	50
PID 2892 wrote to memory of 1724	2892	imxdha.exe	51
PID 2892 wrote to memory of 1724	2892	imxdha.exe	51
PID 2892 wrote to memory of 1724	2892	imxdha.exe	51
PID 2892 wrote to memory of 1724	2892	imxdha.exe	51
PID 2892 wrote to memory of 300	2892	imxdha.exe	52
PID 2892 wrote to memory of 300	2892	imxdha.exe	52
PID 2892 wrote to memory of 300	2892	imxdha.exe	52
PID 2892 wrote to memory of 300	2892	imxdha.exe	52
PID 2892 wrote to memory of 2776	2892	imxdha.exe	53
PID 2892 wrote to memory of 2776	2892	imxdha.exe	53
PID 2892 wrote to memory of 2776	2892	imxdha.exe	53
PID 2892 wrote to memory of 2776	2892	imxdha.exe	53
PID 2776 wrote to memory of 1036	2776	imxdha.exe	54
PID 2776 wrote to memory of 1036	2776	imxdha.exe	54
PID 2776 wrote to memory of 1036	2776	imxdha.exe	54
PID 2776 wrote to memory of 1036	2776	imxdha.exe	54
PID 2684 wrote to memory of 2504	2684	xfsfwi.exe	55
PID 2684 wrote to memory of 2504	2684	xfsfwi.exe	55
PID 2684 wrote to memory of 2504	2684	xfsfwi.exe	55
PID 2684 wrote to memory of 2504	2684	xfsfwi.exe	55
PID 2504 wrote to memory of 1704	2504	iexplore.exe	57
PID 2504 wrote to memory of 1704	2504	iexplore.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
  "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe
    "C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2416
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=virus.exe
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1704
- C:\Users\Admin\AppData\Local\Temp\imxdha.exe
  "C:\Users\Admin\AppData\Local\Temp\imxdha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\imxdha.exe
    "C:\Users\Admin\AppData\Local\Temp\imxdha.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1036

C:\Windows\system32\taskeng.exe
taskeng.exe {FF85F2E5-3ED1-48BB-899E-E8E8A7D14B7A} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8190b6df712050c1128c4495d9ad52a

SHA1
83096251684fb35f00f6da50f0d91b290318e817

SHA256
17ca2cf0157276ae10248d5d4fda8961e2dafbfcb2bbb5f3603260f2260c0ed5

SHA512
b633e2c05ea0512162cffd5adb0f233d099e7c7b31d30803ad5192719f5775d7520ee1a36b57fc2205756a4f21c85f2be518edb5115ceed5604bc5011da3f9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a71c2da8c19d1dbc041fad8cf72a7983

SHA1
50297648f0c8023221acc77a0afa997999007fd1

SHA256
e5abca3eccbed422b76a96d885e36974ee8376c0371fb02689b5cd6546e25b42

SHA512
81e5873f7f350780f6f8723789de744eececd450fd074018061debbee687f48a514a7128d6f5b1e17f1aa5e5065ccb9187d91ead7134486c7d051256433a1fc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45741dcfcdf95dae00d041bc9e5ebac0

SHA1
819311b41715e8f7ff5d72057a9d9b3a9375ebc3

SHA256
756788e60762cdcf220e02dd106ffadf7ca78a0389da6f52e0a179e5c323f5cb

SHA512
6fac278dbd380588efeaf1cd9f6c1b919790f0d6f07c92cd983874a0ba3e83226b638923a4e4ea47551698720d175f13ce0b9afece86709de13fcf53d0a534dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
090028e623907001f69665bac979d929

SHA1
b8efbca98cb202548f6c9351fbfdf02e9a6b0321

SHA256
60970506771ae9b40a55e850db1d0a51742dd2b2447fc04e31ca20e73613c56e

SHA512
e773e5d4e1947c62875b236817dbbdc3a0bf31385035712b37d2ef55f9258b43bd264b8786756553e657fa04b326e4660ee70f163177765e620a1afe7a817bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e74e49b1e46d0aeb11652ddfe42eca9

SHA1
2e1b5b1a56f79c3172e58d96ea961f728ee5dc8c

SHA256
d3c7d61134f443bbb1ef757e2c5e7b2c372c46833fc39b978d2bd0ac7244f54f

SHA512
c1d538276ae197dd68013f15b339150fd1ab7370afb91ed069a0cbd16b895d00f6cdf3034f06083aac7659144d862f71db558f35329f7e7f3f493c8421b9554a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07854a3647dd0eccb931f47a157921bc

SHA1
730ab1193a340c3b0712f967bfaa3013fcd68a8a

SHA256
6ceba4d417770adc1799c62c88a95b01f843b759326b16b37d06b2ecc03459f1

SHA512
0994b18c8e4c1b8ae7320cc94746e69b68a8141ffed6f0b7cfaa0221f45cf302e7ba9a9481d9fbc7e54a0f52615699a343a0cdcaa82c39529375d907727b09ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
672d46cc7108120d437a099721c8250e

SHA1
a10fed0a7b3531c217732cacf364ae4a321c75ab

SHA256
96462f23ee7a6aebdff492ae401cc45adfbc3d1dc048b0329fc7d0f97ffcd21c

SHA512
e00b40f88da147dd91b83f1e683a4ab373d9ada58adfdf10a4f864e650774533c9a0d5424dcd58b23533808d74f55f70020bad1039fdf6c993006b159fbee3d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d71b2a688ffe27ad01ad0f7f04013c9

SHA1
45fee9458b492e58c72ecd2220aa577846dbd45c

SHA256
ff1b4c50e15ad0eedd42fa9744bf1152b42227ecbec72371b7c3d2bceca6243d

SHA512
b9ea54c0aa4bb5809b26f90599100cff11cabc555fb249e169a65401e63612e80b6e431a0c724a77772126923e272a351765f88c9d1ec2bd30c8f8bfdfcc5707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85461ba49217a2c22882c35fb75c1c56

SHA1
f643c977c613e7ef24e4264ca10ba0f04b34324c

SHA256
da811bb93418a13113003c8d093005eef2fd04162ea601641a4130b641a87009

SHA512
e2e565012726358b83f2645cbbaeb91978ea2501196a541775acfba30bd9e31aca9bd796a9e4d76b82f2097a02fcb4b68708d3bc84046ad589782d70c9ff1feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
031317102b90436a8e309dc9e237bdbd

SHA1
abaf4bfc15c164285ceb56307d494c6d6d55c21e

SHA256
3b510de6301b99b5159d8290d86f5234a2af4d93f9dbafeb530334018087fcdb

SHA512
59b2835adf60b1e26fd278b7dd5cc9bafd419c80a23c8c9eb1e7c66297b51ccb3cdbb538a9f665f7e8f84c57b22e44c298bed281e310437c660f797ec01c2b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\4SWLLJVI\www.google[1].xml

Filesize
99B

MD5
c55e1ce8b7a4f3e54a1b4584b17084df

SHA1
59100d0652c554bcee1bc4f253bbd3787b313ac4

SHA256
b931710920b8be4215a9754609c44327c54383fded9b5be4cfb46aa3c9749304

SHA512
d23458dc1dafaf95dc1aa0147c62f28608e1e00f08316b771640d14360044f2e6a863e4b35c334dcb101a391cf730fd31d8d5ffe66c3b6b2e7c3f46c7398272d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92bocja\imagestore.dat

Filesize
5KB

MD5
9eb7ddbbc631f2208eb92dbfd0fd7d4c

SHA1
437a9f773db9879d932333d45ef1fd6534b67f6e

SHA256
583189263ee1fb8f04986280982ddfcf96db773582cc780fb40a99141e74c4b8

SHA512
c91f35df5e1707ae4f265be3a15dd2c6053d97ec006f997e008f052c9d3a8c8fea4990afdd91f10c2a6657e59d00d97a502afcf01e509a3d5ffb9208c7a949de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\673IEUYT\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\recaptcha__en[1].js

Filesize
505KB

MD5
e2e79d6b927169d9e0e57e3baecc0993

SHA1
1299473950b2999ba0b7f39bd5e4a60eafd1819d

SHA256
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

SHA512
d6a2ed7b19e54d1447ee9bbc684af7101b48086945a938a5f9b6ae74ace30b9a98ca83d3183814dd3cc40f251ab6433dc7f8b425f313ea9557b83e1c2e035dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFGNZ1XG\styles__ltr[1].css

Filesize
55KB

MD5
2c00b9f417b688224937053cd0c284a5

SHA1
17b4c18ebc129055dd25f214c3f11e03e9df2d82

SHA256
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

SHA512
8dc644d4c8e6da600c751975ac4a9e620e26179167a4021ddb1da81b452ecf420e459dd1c23d1f2e177685b4e1006dbc5c8736024c447d0ff65f75838a785f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91F4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91F7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9316.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfsfwi.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1500-15-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/1596-19-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/2312-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2312-12-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-7-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-1-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2632-45-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2796-17-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/2948-11-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download