Analysis Overview
SHA256
e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Threat Level: Known bad
The file a ton of ya.zip was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Drops startup file
Deletes itself
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:45
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:15
Platform
win10v2004-20240426-en
Max time kernel
1193s
Max time network
1183s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4592 wrote to memory of 5884 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4592 wrote to memory of 5884 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/4592-0-0x0000000000750000-0x0000000000766000-memory.dmp
memory/4592-1-0x00007FFBE3AE3000-0x00007FFBE3AE5000-memory.dmp
memory/4592-6-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp
memory/4592-7-0x00007FFBE3AE3000-0x00007FFBE3AE5000-memory.dmp
memory/4592-8-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/5704-12-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp
memory/5704-14-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:21
Platform
win7-20240221-en
Max time kernel
1199s
Max time network
1200s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4F459FD3-E645-491D-AF04-3365000B0585} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/1948-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp
memory/1948-1-0x0000000000080000-0x0000000000096000-memory.dmp
memory/1948-6-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp
memory/1948-7-0x000007FEF5433000-0x000007FEF5434000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2444-11-0x00000000011C0000-0x00000000011D6000-memory.dmp
memory/1948-12-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp
memory/2748-18-0x00000000000D0000-0x00000000000E6000-memory.dmp
memory/1708-20-0x0000000000250000-0x0000000000266000-memory.dmp
memory/2272-22-0x0000000000050000-0x0000000000066000-memory.dmp
memory/2812-24-0x00000000002E0000-0x00000000002F6000-memory.dmp
memory/2580-26-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/1516-28-0x0000000000D60000-0x0000000000D76000-memory.dmp
memory/932-31-0x00000000000A0000-0x00000000000B6000-memory.dmp
memory/1744-33-0x00000000011E0000-0x00000000011F6000-memory.dmp
memory/1644-37-0x0000000001230000-0x0000000001246000-memory.dmp
memory/1512-39-0x00000000013B0000-0x00000000013C6000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:21
Platform
win10v2004-20240226-en
Max time kernel
1194s
Max time network
1203s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 4100 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1620 wrote to memory of 4100 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/1620-0-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/1620-1-0x0000000000D60000-0x0000000000D76000-memory.dmp
memory/1620-6-0x00007FF984460000-0x00007FF984F21000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/5056-9-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/5056-11-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/1620-12-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/1620-13-0x00007FF984460000-0x00007FF984F21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:27
Platform
win10v2004-20240426-en
Max time kernel
1191s
Max time network
1173s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1608 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp |
Files
memory/1608-1-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp
memory/1608-0-0x0000000000470000-0x0000000000486000-memory.dmp
memory/1608-6-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/792-9-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp
memory/1608-10-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp
memory/792-12-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:11
Platform
win10v2004-20240508-en
Max time kernel
455s
Max time network
1178s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/1940-0-0x00000000002B0000-0x00000000002C6000-memory.dmp
memory/1940-1-0x00007FF816413000-0x00007FF816415000-memory.dmp
memory/1940-6-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
memory/1940-7-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
memory/1940-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.bat
| MD5 | c18b5cb8606605d4bc37e7f5fd64eab7 |
| SHA1 | 9b8636830386ebe79ff6ee9701f4e1f86d65da49 |
| SHA256 | d18a9b4e9e242c92a132c59cb0d0516a741cfc52490d2dc590b5d83ccab043b4 |
| SHA512 | aa8f4e877c4900f25d27ccc1e5ca358b6bf5854bc8d404caf6df832dc5aeb882bdcea930cd8557d91c8f839dfc916c829edfb1f2721171960044dd0f842288c7 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:11
Platform
win7-20240221-en
Max time kernel
1181s
Max time network
1191s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {40704481-771F-4052-8D16-844B2783497F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2272-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp
memory/2272-1-0x00000000008D0000-0x00000000008E6000-memory.dmp
memory/2272-6-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1724-10-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/2272-11-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp
memory/2272-12-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/1472-17-0x0000000000030000-0x0000000000046000-memory.dmp
memory/2876-19-0x0000000000AA0000-0x0000000000AB6000-memory.dmp
memory/2668-21-0x0000000001270000-0x0000000001286000-memory.dmp
memory/2652-23-0x0000000000320000-0x0000000000336000-memory.dmp
memory/2732-25-0x0000000000850000-0x0000000000866000-memory.dmp
memory/2916-27-0x00000000009F0000-0x0000000000A06000-memory.dmp
memory/2860-29-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/2440-31-0x0000000000010000-0x0000000000026000-memory.dmp
memory/1600-33-0x0000000000E70000-0x0000000000E86000-memory.dmp
memory/2716-35-0x00000000000E0000-0x00000000000F6000-memory.dmp
memory/2916-37-0x0000000001140000-0x0000000001156000-memory.dmp
memory/2860-39-0x0000000000340000-0x0000000000356000-memory.dmp
memory/1556-41-0x0000000000C50000-0x0000000000C66000-memory.dmp
memory/344-43-0x00000000001B0000-0x00000000001C6000-memory.dmp
memory/1732-45-0x0000000000130000-0x0000000000146000-memory.dmp
memory/1696-47-0x00000000012E0000-0x00000000012F6000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:16
Platform
win10v2004-20240426-en
Max time kernel
1184s
Max time network
1193s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1716 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/1716-0-0x00007FFF52843000-0x00007FFF52845000-memory.dmp
memory/1716-1-0x0000000000AF0000-0x0000000000B06000-memory.dmp
memory/1716-6-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4664-9-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
memory/4664-11-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
memory/1716-12-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:28
Platform
win7-20240221-en
Max time kernel
1194s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E9DB5B76-3953-4F61-BEAA-6DF4A82AD212} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2956-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp
memory/2956-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp
memory/2956-6-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/2956-7-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2476-11-0x0000000001080000-0x0000000001096000-memory.dmp
memory/2956-12-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/2344-15-0x0000000000270000-0x0000000000286000-memory.dmp
memory/536-17-0x0000000000B30000-0x0000000000B46000-memory.dmp
memory/2192-19-0x0000000001340000-0x0000000001356000-memory.dmp
memory/1588-27-0x0000000000290000-0x00000000002A6000-memory.dmp
memory/2432-29-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2196-31-0x0000000000280000-0x0000000000296000-memory.dmp
memory/2828-33-0x0000000000070000-0x0000000000086000-memory.dmp
memory/1128-35-0x00000000013C0000-0x00000000013D6000-memory.dmp
memory/2808-40-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/1848-42-0x0000000000090000-0x00000000000A6000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:13
Platform
win10v2004-20240508-en
Max time kernel
1195s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3112 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3112 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4704,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/3112-0-0x00007FF82A1E3000-0x00007FF82A1E5000-memory.dmp
memory/3112-1-0x0000000000D20000-0x0000000000D36000-memory.dmp
memory/3112-6-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp
memory/3112-7-0x00007FF82A1E3000-0x00007FF82A1E5000-memory.dmp
memory/3112-8-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2772-11-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp
memory/2772-13-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:14
Platform
win7-20240220-en
Max time kernel
1178s
Max time network
1187s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {D6F45FAF-4ADB-4DBE-B237-A2FD0387BAE2} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2088-0-0x000007FEF5383000-0x000007FEF5384000-memory.dmp
memory/2088-1-0x0000000000B10000-0x0000000000B26000-memory.dmp
memory/2088-6-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
memory/2088-7-0x000007FEF5383000-0x000007FEF5384000-memory.dmp
memory/2088-8-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2336-13-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/2108-15-0x0000000000CA0000-0x0000000000CB6000-memory.dmp
memory/2896-17-0x0000000001010000-0x0000000001026000-memory.dmp
memory/1676-21-0x0000000001060000-0x0000000001076000-memory.dmp
memory/1688-24-0x00000000012B0000-0x00000000012C6000-memory.dmp
memory/1988-26-0x00000000000E0000-0x00000000000F6000-memory.dmp
memory/1972-28-0x0000000000C10000-0x0000000000C26000-memory.dmp
memory/2128-31-0x0000000001330000-0x0000000001346000-memory.dmp
memory/1864-36-0x0000000000080000-0x0000000000096000-memory.dmp
memory/380-38-0x0000000000300000-0x0000000000316000-memory.dmp
memory/1200-40-0x0000000000E70000-0x0000000000E86000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:15
Platform
win7-20240508-en
Max time kernel
1183s
Max time network
1192s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {40782371-4569-44D4-8787-F75677237452} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2824-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp
memory/2824-1-0x0000000000150000-0x0000000000166000-memory.dmp
memory/2824-6-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2824-7-0x000007FEF5623000-0x000007FEF5624000-memory.dmp
memory/2824-8-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2952-12-0x00000000011B0000-0x00000000011C6000-memory.dmp
memory/952-17-0x00000000003A0000-0x00000000003B6000-memory.dmp
memory/2200-19-0x0000000000D40000-0x0000000000D56000-memory.dmp
memory/2532-21-0x00000000012C0000-0x00000000012D6000-memory.dmp
memory/1196-23-0x00000000013B0000-0x00000000013C6000-memory.dmp
memory/2076-26-0x00000000001C0000-0x00000000001D6000-memory.dmp
memory/2332-28-0x0000000000360000-0x0000000000376000-memory.dmp
memory/1868-30-0x0000000000100000-0x0000000000116000-memory.dmp
memory/1944-32-0x0000000000EE0000-0x0000000000EF6000-memory.dmp
memory/376-34-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/2220-36-0x0000000001290000-0x00000000012A6000-memory.dmp
memory/1804-41-0x0000000000200000-0x0000000000216000-memory.dmp
memory/2084-43-0x0000000000FE0000-0x0000000000FF6000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:15
Platform
win10v2004-20240508-en
Max time kernel
1191s
Max time network
1192s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 692 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/692-0-0x00007FF96E2F3000-0x00007FF96E2F5000-memory.dmp
memory/692-1-0x0000000000130000-0x0000000000146000-memory.dmp
memory/692-6-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp
memory/692-7-0x000000001B7B0000-0x000000001B7D7000-memory.dmp
memory/692-8-0x000000001B7E0000-0x000000001B80B000-memory.dmp
memory/692-11-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/552-18-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp
memory/552-20-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:25
Platform
win7-20240419-en
Max time kernel
1193s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A8A73F73-ED16-453E-984C-BF21B330ED2B} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/3020-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp
memory/3020-1-0x0000000000120000-0x0000000000136000-memory.dmp
memory/3020-6-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2832-10-0x0000000000A50000-0x0000000000A66000-memory.dmp
memory/3020-11-0x000007FEF5293000-0x000007FEF5294000-memory.dmp
memory/3020-12-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp
memory/540-16-0x0000000000EA0000-0x0000000000EB6000-memory.dmp
memory/2496-19-0x0000000001290000-0x00000000012A6000-memory.dmp
memory/1428-31-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1532-33-0x0000000000180000-0x0000000000196000-memory.dmp
memory/1772-35-0x00000000009E0000-0x00000000009F6000-memory.dmp
memory/108-37-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/840-39-0x0000000000A20000-0x0000000000A36000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:10
Platform
win7-20240215-en
Max time kernel
835s
Max time network
836s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {C48E9E42-4168-49EA-A91C-1C4ABA2A310C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp190C.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp |
Files
memory/2328-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp
memory/2328-1-0x0000000000C90000-0x0000000000CA6000-memory.dmp
memory/2328-6-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp
memory/2328-7-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2628-11-0x0000000001330000-0x0000000001346000-memory.dmp
memory/2328-12-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp190C.tmp.bat
| MD5 | 6d2a1d0590cb9f51360dec08d25d89a4 |
| SHA1 | 622633bf0cb59eeb332b5bc7ac277d32212bb042 |
| SHA256 | 94a6893e24452fa9cfff00d4c311cb3880b23ff692f733f40aaca4248b225108 |
| SHA512 | fbe28c1454d68eea93540d0891d66d14262009e626a2213dd2287cdcc07cf2a1f84757b2746d88436bacfc256be5a7dbdf80b561b1c207edfced8bb0f2f27bf6 |
memory/2328-24-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:16
Platform
win7-20231129-en
Max time kernel
1172s
Max time network
1182s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {AD39C9F5-A13B-4B50-8E38-48766AE8D54D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2368-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp
memory/2368-1-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
memory/2368-6-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp
memory/2368-7-0x000007FEF5593000-0x000007FEF5594000-memory.dmp
memory/2368-8-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2452-12-0x0000000000BA0000-0x0000000000BB6000-memory.dmp
memory/1980-15-0x0000000000380000-0x0000000000396000-memory.dmp
memory/1964-17-0x0000000000940000-0x0000000000956000-memory.dmp
memory/1988-19-0x0000000000350000-0x0000000000366000-memory.dmp
memory/2968-21-0x0000000000A70000-0x0000000000A86000-memory.dmp
memory/2140-23-0x0000000000F90000-0x0000000000FA6000-memory.dmp
memory/2788-25-0x00000000013A0000-0x00000000013B6000-memory.dmp
memory/1484-27-0x00000000013B0000-0x00000000013C6000-memory.dmp
memory/1712-37-0x0000000000020000-0x0000000000036000-memory.dmp
memory/2420-39-0x00000000011A0000-0x00000000011B6000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:22
Platform
win7-20231129-en
Max time kernel
1197s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {ABC80DB1-28FF-41F6-8CA4-5E9377C44323} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/3048-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp
memory/3048-1-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/3048-6-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
memory/3048-7-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp
memory/3048-8-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1676-13-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/1072-15-0x0000000001230000-0x0000000001246000-memory.dmp
memory/2324-19-0x0000000001350000-0x0000000001366000-memory.dmp
memory/3052-23-0x00000000002B0000-0x00000000002C6000-memory.dmp
memory/2560-25-0x0000000000230000-0x0000000000246000-memory.dmp
memory/2208-27-0x00000000008E0000-0x00000000008F6000-memory.dmp
memory/2668-29-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
memory/636-31-0x0000000000360000-0x0000000000376000-memory.dmp
memory/2336-33-0x0000000000F40000-0x0000000000F56000-memory.dmp
memory/1584-35-0x00000000012C0000-0x00000000012D6000-memory.dmp
memory/1724-38-0x0000000000280000-0x0000000000296000-memory.dmp
memory/2172-40-0x0000000001140000-0x0000000001156000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:23
Platform
win10v2004-20240508-en
Max time kernel
1198s
Max time network
1186s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 452 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 452 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/452-0-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp
memory/452-1-0x0000000000490000-0x00000000004A6000-memory.dmp
memory/452-6-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/452-7-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp
memory/452-8-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4588-11-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/4588-13-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:26
Platform
win10v2004-20240508-en
Max time kernel
1183s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4220 wrote to memory of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4220 wrote to memory of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/4220-0-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmp
memory/4220-1-0x00000000004B0000-0x00000000004C6000-memory.dmp
memory/4220-6-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2152-9-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp
memory/4220-10-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp
memory/2152-12-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:27
Platform
win7-20240508-en
Max time kernel
1185s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {62713848-B2D6-4EAC-A610-A2A679A37DCE} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/2976-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2976-1-0x0000000000920000-0x0000000000936000-memory.dmp
memory/2976-6-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2976-7-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2976-8-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2952-12-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2008-15-0x0000000000F30000-0x0000000000F46000-memory.dmp
memory/2416-17-0x0000000001190000-0x00000000011A6000-memory.dmp
memory/1216-21-0x0000000001370000-0x0000000001386000-memory.dmp
memory/2252-27-0x00000000013E0000-0x00000000013F6000-memory.dmp
memory/1540-34-0x00000000000E0000-0x00000000000F6000-memory.dmp
memory/2784-36-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
memory/2236-39-0x0000000000D20000-0x0000000000D36000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:30
Platform
win10v2004-20240508-en
Max time kernel
1186s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1276 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/1276-0-0x00007FFDCF893000-0x00007FFDCF895000-memory.dmp
memory/1276-1-0x0000000000050000-0x0000000000066000-memory.dmp
memory/1276-6-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4896-9-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp
memory/4896-11-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp
memory/1276-12-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:15
Platform
win7-20240221-en
Max time kernel
1184s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {988D57BF-9417-4603-9857-09B98F1D2144} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2336-0-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp
memory/2336-1-0x00000000000A0000-0x00000000000B6000-memory.dmp
memory/2336-6-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp
memory/2336-7-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp
memory/2336-8-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2616-13-0x00000000008E0000-0x00000000008F6000-memory.dmp
memory/2920-15-0x00000000009D0000-0x00000000009E6000-memory.dmp
memory/796-17-0x0000000000210000-0x0000000000226000-memory.dmp
memory/2124-19-0x00000000009E0000-0x00000000009F6000-memory.dmp
memory/268-21-0x0000000000AF0000-0x0000000000B06000-memory.dmp
memory/1272-23-0x0000000000270000-0x0000000000286000-memory.dmp
memory/2968-25-0x0000000001360000-0x0000000001376000-memory.dmp
memory/1404-31-0x00000000002F0000-0x0000000000306000-memory.dmp
memory/808-33-0x0000000000F10000-0x0000000000F26000-memory.dmp
memory/2172-35-0x0000000001010000-0x0000000001026000-memory.dmp
memory/1708-37-0x00000000001B0000-0x00000000001C6000-memory.dmp
memory/2860-39-0x00000000002E0000-0x00000000002F6000-memory.dmp
memory/3012-41-0x0000000001310000-0x0000000001326000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:24
Platform
win7-20240221-en
Max time kernel
1199s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {F06742FF-F007-49D4-8BE9-D462E7564B1C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/2096-0-0x000007FEF5603000-0x000007FEF5604000-memory.dmp
memory/2096-1-0x0000000001240000-0x0000000001256000-memory.dmp
memory/2096-6-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp
memory/2096-7-0x000007FEF5603000-0x000007FEF5604000-memory.dmp
memory/2096-8-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2444-12-0x0000000000180000-0x0000000000196000-memory.dmp
memory/2196-15-0x0000000000AC0000-0x0000000000AD6000-memory.dmp
memory/1984-17-0x0000000001040000-0x0000000001056000-memory.dmp
memory/2828-19-0x00000000000D0000-0x00000000000E6000-memory.dmp
memory/988-21-0x0000000000E90000-0x0000000000EA6000-memory.dmp
memory/384-24-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/3068-26-0x00000000001A0000-0x00000000001B6000-memory.dmp
memory/2104-28-0x0000000001120000-0x0000000001136000-memory.dmp
memory/1624-31-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/628-33-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
memory/484-35-0x00000000010B0000-0x00000000010C6000-memory.dmp
memory/2660-40-0x00000000002D0000-0x00000000002E6000-memory.dmp
memory/1648-42-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/2796-44-0x0000000000E80000-0x0000000000E96000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:25
Platform
win7-20240221-en
Max time kernel
1183s
Max time network
1188s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {6C3307CB-478F-4039-88C7-64349F75E996} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/1308-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp
memory/1308-1-0x0000000001170000-0x0000000001186000-memory.dmp
memory/1308-6-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/1308-7-0x000007FEF5313000-0x000007FEF5314000-memory.dmp
memory/1308-8-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1552-12-0x0000000000FE0000-0x0000000000FF6000-memory.dmp
memory/1596-17-0x00000000012F0000-0x0000000001306000-memory.dmp
memory/1812-26-0x00000000003D0000-0x00000000003E6000-memory.dmp
memory/2492-28-0x00000000010B0000-0x00000000010C6000-memory.dmp
memory/2136-30-0x00000000011E0000-0x00000000011F6000-memory.dmp
memory/2984-32-0x0000000001260000-0x0000000001276000-memory.dmp
memory/2316-36-0x0000000000100000-0x0000000000116000-memory.dmp
memory/2576-38-0x0000000000910000-0x0000000000926000-memory.dmp
memory/1412-40-0x0000000001220000-0x0000000001236000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:25
Platform
win10v2004-20240426-en
Max time kernel
1195s
Max time network
1201s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3476 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3476 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3476-0-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp
memory/3476-1-0x0000000000780000-0x0000000000796000-memory.dmp
memory/3476-6-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3476-9-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/1452-10-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/1452-12-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:26
Platform
win10v2004-20240508-en
Max time kernel
1195s
Max time network
1210s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2348 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3596,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4312,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2348-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp
memory/2348-1-0x0000000000E30000-0x0000000000E46000-memory.dmp
memory/2348-6-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/2348-7-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/536-10-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/536-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:14
Platform
win10v2004-20240426-en
Max time kernel
1193s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2720 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/2720-0-0x0000000000910000-0x0000000000926000-memory.dmp
memory/2720-1-0x00007FFD82A03000-0x00007FFD82A05000-memory.dmp
memory/2720-6-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp
memory/2720-7-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3400-10-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp
memory/3400-12-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:26
Platform
win7-20240221-en
Max time kernel
1196s
Max time network
1201s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FA601A1F-8EBA-4849-B05F-6162474C8C27} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2192-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp
memory/2192-1-0x0000000000D00000-0x0000000000D16000-memory.dmp
memory/2192-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2192-7-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp
memory/2192-8-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2916-12-0x0000000001380000-0x0000000001396000-memory.dmp
memory/656-16-0x00000000000E0000-0x00000000000F6000-memory.dmp
memory/2320-18-0x00000000013B0000-0x00000000013C6000-memory.dmp
memory/2800-21-0x0000000000130000-0x0000000000146000-memory.dmp
memory/1644-23-0x0000000000D10000-0x0000000000D26000-memory.dmp
memory/1704-25-0x0000000000D20000-0x0000000000D36000-memory.dmp
memory/1624-27-0x00000000001B0000-0x00000000001C6000-memory.dmp
memory/1652-29-0x0000000000D30000-0x0000000000D46000-memory.dmp
memory/2148-32-0x0000000001220000-0x0000000001236000-memory.dmp
memory/1212-36-0x00000000012F0000-0x0000000001306000-memory.dmp
memory/1028-39-0x0000000000290000-0x00000000002A6000-memory.dmp
memory/2152-41-0x0000000001130000-0x0000000001146000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:30
Platform
win10v2004-20240426-en
Max time kernel
1199s
Max time network
1187s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4048 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 147.185.221.19:23638 | tcp |
Files
memory/4048-0-0x00007FF91B483000-0x00007FF91B485000-memory.dmp
memory/4048-1-0x0000000000BF0000-0x0000000000C06000-memory.dmp
memory/4048-6-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp
memory/4048-7-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2444-10-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp
memory/2444-12-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:30
Platform
win7-20240220-en
Max time kernel
1193s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {D8A1A093-025C-44D9-A633-6778DAD6A178} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2088-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp
memory/2088-1-0x0000000000AE0000-0x0000000000AF6000-memory.dmp
memory/2088-6-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2624-10-0x0000000000FF0000-0x0000000001006000-memory.dmp
memory/2088-11-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp
memory/2088-12-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2080-19-0x0000000000160000-0x0000000000176000-memory.dmp
memory/1020-21-0x0000000001000000-0x0000000001016000-memory.dmp
memory/3028-24-0x0000000000030000-0x0000000000046000-memory.dmp
memory/2820-26-0x0000000001300000-0x0000000001316000-memory.dmp
memory/844-35-0x00000000002F0000-0x0000000000306000-memory.dmp
memory/2548-37-0x0000000000200000-0x0000000000216000-memory.dmp
memory/2968-39-0x0000000000E30000-0x0000000000E46000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:24
Platform
win10v2004-20240426-en
Max time kernel
1195s
Max time network
1200s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4048 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/4048-0-0x00007FFD98823000-0x00007FFD98825000-memory.dmp
memory/4048-1-0x0000000000700000-0x0000000000716000-memory.dmp
memory/4048-6-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/4048-7-0x00007FFD98823000-0x00007FFD98825000-memory.dmp
memory/4048-8-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2016-12-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/2016-14-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:07
Platform
win7-20240221-en
Max time kernel
835s
Max time network
836s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {0DA5747F-BDC0-43F9-BCFC-F86A5AA81521} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DD4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2776-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp
memory/2776-1-0x0000000000A90000-0x0000000000AA6000-memory.dmp
memory/2776-6-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
memory/2776-7-0x000007FEF5843000-0x000007FEF5844000-memory.dmp
memory/2776-8-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1380-12-0x0000000001110000-0x0000000001126000-memory.dmp
memory/1880-17-0x00000000011E0000-0x00000000011F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2DD4.tmp.bat
| MD5 | e0bc631be86028bd54091fa15291bdc7 |
| SHA1 | 62a0a97ee18e48b3f81e5e92f25a540cee227194 |
| SHA256 | 3171be18aa7c5dfeadf9b74c37ec773fdb3ae4419d694ff79c0b59e8ff804439 |
| SHA512 | b7ea227c712cb67ce8d783faa8c2400a67a9cda1e3f94568e24ad2d57bccb3222ec27650e574ffa086d0281f62f4d02493a50a5600e3eb05419b7a0c3107d7d9 |
memory/2776-28-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:45
Reported
2024-06-01 08:10
Platform
win10v2004-20240426-en
Max time kernel
454s
Max time network
1178s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp845E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/1040-0-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp
memory/1040-1-0x0000000000540000-0x0000000000556000-memory.dmp
memory/1040-6-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/1040-7-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp
memory/1040-8-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4812-11-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/4812-13-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp845E.tmp.bat
| MD5 | c2838724695917f9531c99ce14ffe23c |
| SHA1 | 8df64f26a9a5b2d7838668162998773afa64cd67 |
| SHA256 | e4a4803a1754fc041efb08e2b07921ba350cba979b519905e267a10ab03240d9 |
| SHA512 | 30b86b40988dee6784a56d038a178f5fe1a64a28133203eb9a51179b9aea6e30c38214d3ce4fad4ce071d83349298bdbd207088d0c0e1a79f3ea575f125ce5bd |
memory/1040-21-0x00007FF9335B0000-0x00007FF934071000-memory.dmp