Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-jlvj2aed5s
Target a ton of ya.zip
SHA256 e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Threat Level: Known bad

The file a ton of ya.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm family

Detect Xworm Payload

Xworm

Drops startup file

Deletes itself

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:45

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:15

Platform

win10v2004-20240426-en

Max time kernel

1193s

Max time network

1183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/4592-0-0x0000000000750000-0x0000000000766000-memory.dmp

memory/4592-1-0x00007FFBE3AE3000-0x00007FFBE3AE5000-memory.dmp

memory/4592-6-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

memory/4592-7-0x00007FFBE3AE3000-0x00007FFBE3AE5000-memory.dmp

memory/4592-8-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5704-12-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

memory/5704-14-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:21

Platform

win7-20240221-en

Max time kernel

1199s

Max time network

1200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 3024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 3024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 3024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4F459FD3-E645-491D-AF04-3365000B0585} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1948-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

memory/1948-1-0x0000000000080000-0x0000000000096000-memory.dmp

memory/1948-6-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/1948-7-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2444-11-0x00000000011C0000-0x00000000011D6000-memory.dmp

memory/1948-12-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/2748-18-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/1708-20-0x0000000000250000-0x0000000000266000-memory.dmp

memory/2272-22-0x0000000000050000-0x0000000000066000-memory.dmp

memory/2812-24-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2580-26-0x00000000003B0000-0x00000000003C6000-memory.dmp

memory/1516-28-0x0000000000D60000-0x0000000000D76000-memory.dmp

memory/932-31-0x00000000000A0000-0x00000000000B6000-memory.dmp

memory/1744-33-0x00000000011E0000-0x00000000011F6000-memory.dmp

memory/1644-37-0x0000000001230000-0x0000000001246000-memory.dmp

memory/1512-39-0x00000000013B0000-0x00000000013C6000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:21

Platform

win10v2004-20240226-en

Max time kernel

1194s

Max time network

1203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1620-0-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/1620-1-0x0000000000D60000-0x0000000000D76000-memory.dmp

memory/1620-6-0x00007FF984460000-0x00007FF984F21000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5056-9-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/5056-11-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/1620-12-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/1620-13-0x00007FF984460000-0x00007FF984F21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:27

Platform

win10v2004-20240426-en

Max time kernel

1191s

Max time network

1173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp

Files

memory/1608-1-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp

memory/1608-0-0x0000000000470000-0x0000000000486000-memory.dmp

memory/1608-6-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/792-9-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/1608-10-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/792-12-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:11

Platform

win10v2004-20240508-en

Max time kernel

455s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1940 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1940 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1940 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1940 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1940 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1400 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/1940-0-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/1940-1-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/1940-6-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/1940-7-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/1940-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.bat

MD5 c18b5cb8606605d4bc37e7f5fd64eab7
SHA1 9b8636830386ebe79ff6ee9701f4e1f86d65da49
SHA256 d18a9b4e9e242c92a132c59cb0d0516a741cfc52490d2dc590b5d83ccab043b4
SHA512 aa8f4e877c4900f25d27ccc1e5ca358b6bf5854bc8d404caf6df832dc5aeb882bdcea930cd8557d91c8f839dfc916c829edfb1f2721171960044dd0f842288c7

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:11

Platform

win7-20240221-en

Max time kernel

1181s

Max time network

1191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2272 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2272 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1896 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1896 wrote to memory of 2120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {40704481-771F-4052-8D16-844B2783497F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2272-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

memory/2272-1-0x00000000008D0000-0x00000000008E6000-memory.dmp

memory/2272-6-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1724-10-0x00000000013D0000-0x00000000013E6000-memory.dmp

memory/2272-11-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

memory/2272-12-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1472-17-0x0000000000030000-0x0000000000046000-memory.dmp

memory/2876-19-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/2668-21-0x0000000001270000-0x0000000001286000-memory.dmp

memory/2652-23-0x0000000000320000-0x0000000000336000-memory.dmp

memory/2732-25-0x0000000000850000-0x0000000000866000-memory.dmp

memory/2916-27-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2860-29-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2440-31-0x0000000000010000-0x0000000000026000-memory.dmp

memory/1600-33-0x0000000000E70000-0x0000000000E86000-memory.dmp

memory/2716-35-0x00000000000E0000-0x00000000000F6000-memory.dmp

memory/2916-37-0x0000000001140000-0x0000000001156000-memory.dmp

memory/2860-39-0x0000000000340000-0x0000000000356000-memory.dmp

memory/1556-41-0x0000000000C50000-0x0000000000C66000-memory.dmp

memory/344-43-0x00000000001B0000-0x00000000001C6000-memory.dmp

memory/1732-45-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1696-47-0x00000000012E0000-0x00000000012F6000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:16

Platform

win10v2004-20240426-en

Max time kernel

1184s

Max time network

1193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1716-0-0x00007FFF52843000-0x00007FFF52845000-memory.dmp

memory/1716-1-0x0000000000AF0000-0x0000000000B06000-memory.dmp

memory/1716-6-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4664-9-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

memory/4664-11-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

memory/1716-12-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:28

Platform

win7-20240221-en

Max time kernel

1194s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2956 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2956 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1964 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1964 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E9DB5B76-3953-4F61-BEAA-6DF4A82AD212} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2956-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

memory/2956-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp

memory/2956-6-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/2956-7-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2476-11-0x0000000001080000-0x0000000001096000-memory.dmp

memory/2956-12-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/2344-15-0x0000000000270000-0x0000000000286000-memory.dmp

memory/536-17-0x0000000000B30000-0x0000000000B46000-memory.dmp

memory/2192-19-0x0000000001340000-0x0000000001356000-memory.dmp

memory/1588-27-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2432-29-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2196-31-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2828-33-0x0000000000070000-0x0000000000086000-memory.dmp

memory/1128-35-0x00000000013C0000-0x00000000013D6000-memory.dmp

memory/2808-40-0x00000000000B0000-0x00000000000C6000-memory.dmp

memory/1848-42-0x0000000000090000-0x00000000000A6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:13

Platform

win10v2004-20240508-en

Max time kernel

1195s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4704,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/3112-0-0x00007FF82A1E3000-0x00007FF82A1E5000-memory.dmp

memory/3112-1-0x0000000000D20000-0x0000000000D36000-memory.dmp

memory/3112-6-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp

memory/3112-7-0x00007FF82A1E3000-0x00007FF82A1E5000-memory.dmp

memory/3112-8-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2772-11-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp

memory/2772-13-0x00007FF82A1E0000-0x00007FF82ACA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:14

Platform

win7-20240220-en

Max time kernel

1178s

Max time network

1187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2088 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2088 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1580 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1580 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D6F45FAF-4ADB-4DBE-B237-A2FD0387BAE2} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2088-0-0x000007FEF5383000-0x000007FEF5384000-memory.dmp

memory/2088-1-0x0000000000B10000-0x0000000000B26000-memory.dmp

memory/2088-6-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2088-7-0x000007FEF5383000-0x000007FEF5384000-memory.dmp

memory/2088-8-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2336-13-0x00000000000B0000-0x00000000000C6000-memory.dmp

memory/2108-15-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/2896-17-0x0000000001010000-0x0000000001026000-memory.dmp

memory/1676-21-0x0000000001060000-0x0000000001076000-memory.dmp

memory/1688-24-0x00000000012B0000-0x00000000012C6000-memory.dmp

memory/1988-26-0x00000000000E0000-0x00000000000F6000-memory.dmp

memory/1972-28-0x0000000000C10000-0x0000000000C26000-memory.dmp

memory/2128-31-0x0000000001330000-0x0000000001346000-memory.dmp

memory/1864-36-0x0000000000080000-0x0000000000096000-memory.dmp

memory/380-38-0x0000000000300000-0x0000000000316000-memory.dmp

memory/1200-40-0x0000000000E70000-0x0000000000E86000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:15

Platform

win7-20240508-en

Max time kernel

1183s

Max time network

1192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2592 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2592 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {40782371-4569-44D4-8787-F75677237452} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2824-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

memory/2824-1-0x0000000000150000-0x0000000000166000-memory.dmp

memory/2824-6-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2824-7-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

memory/2824-8-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2952-12-0x00000000011B0000-0x00000000011C6000-memory.dmp

memory/952-17-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2200-19-0x0000000000D40000-0x0000000000D56000-memory.dmp

memory/2532-21-0x00000000012C0000-0x00000000012D6000-memory.dmp

memory/1196-23-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/2076-26-0x00000000001C0000-0x00000000001D6000-memory.dmp

memory/2332-28-0x0000000000360000-0x0000000000376000-memory.dmp

memory/1868-30-0x0000000000100000-0x0000000000116000-memory.dmp

memory/1944-32-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

memory/376-34-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2220-36-0x0000000001290000-0x00000000012A6000-memory.dmp

memory/1804-41-0x0000000000200000-0x0000000000216000-memory.dmp

memory/2084-43-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:15

Platform

win10v2004-20240508-en

Max time kernel

1191s

Max time network

1192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/692-0-0x00007FF96E2F3000-0x00007FF96E2F5000-memory.dmp

memory/692-1-0x0000000000130000-0x0000000000146000-memory.dmp

memory/692-6-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp

memory/692-7-0x000000001B7B0000-0x000000001B7D7000-memory.dmp

memory/692-8-0x000000001B7E0000-0x000000001B80B000-memory.dmp

memory/692-11-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/552-18-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp

memory/552-20-0x00007FF96E2F0000-0x00007FF96EDB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:25

Platform

win7-20240419-en

Max time kernel

1193s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3020 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3020 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2664 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A8A73F73-ED16-453E-984C-BF21B330ED2B} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/3020-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/3020-1-0x0000000000120000-0x0000000000136000-memory.dmp

memory/3020-6-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2832-10-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/3020-11-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/3020-12-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

memory/540-16-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

memory/2496-19-0x0000000001290000-0x00000000012A6000-memory.dmp

memory/1428-31-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1532-33-0x0000000000180000-0x0000000000196000-memory.dmp

memory/1772-35-0x00000000009E0000-0x00000000009F6000-memory.dmp

memory/108-37-0x00000000000B0000-0x00000000000C6000-memory.dmp

memory/840-39-0x0000000000A20000-0x0000000000A36000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:10

Platform

win7-20240215-en

Max time kernel

835s

Max time network

836s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2736 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2328 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1912 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1912 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C48E9E42-4168-49EA-A91C-1C4ABA2A310C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp190C.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/2328-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

memory/2328-1-0x0000000000C90000-0x0000000000CA6000-memory.dmp

memory/2328-6-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2328-7-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2628-11-0x0000000001330000-0x0000000001346000-memory.dmp

memory/2328-12-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp190C.tmp.bat

MD5 6d2a1d0590cb9f51360dec08d25d89a4
SHA1 622633bf0cb59eeb332b5bc7ac277d32212bb042
SHA256 94a6893e24452fa9cfff00d4c311cb3880b23ff692f733f40aaca4248b225108
SHA512 fbe28c1454d68eea93540d0891d66d14262009e626a2213dd2287cdcc07cf2a1f84757b2746d88436bacfc256be5a7dbdf80b561b1c207edfced8bb0f2f27bf6

memory/2328-24-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:16

Platform

win7-20231129-en

Max time kernel

1172s

Max time network

1182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2624 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AD39C9F5-A13B-4B50-8E38-48766AE8D54D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2368-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

memory/2368-1-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

memory/2368-6-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/2368-7-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

memory/2368-8-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2452-12-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

memory/1980-15-0x0000000000380000-0x0000000000396000-memory.dmp

memory/1964-17-0x0000000000940000-0x0000000000956000-memory.dmp

memory/1988-19-0x0000000000350000-0x0000000000366000-memory.dmp

memory/2968-21-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/2140-23-0x0000000000F90000-0x0000000000FA6000-memory.dmp

memory/2788-25-0x00000000013A0000-0x00000000013B6000-memory.dmp

memory/1484-27-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/1712-37-0x0000000000020000-0x0000000000036000-memory.dmp

memory/2420-39-0x00000000011A0000-0x00000000011B6000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:22

Platform

win7-20231129-en

Max time kernel

1197s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1268 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3052 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {ABC80DB1-28FF-41F6-8CA4-5E9377C44323} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/3048-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/3048-1-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/3048-6-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/3048-7-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/3048-8-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1676-13-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/1072-15-0x0000000001230000-0x0000000001246000-memory.dmp

memory/2324-19-0x0000000001350000-0x0000000001366000-memory.dmp

memory/3052-23-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/2560-25-0x0000000000230000-0x0000000000246000-memory.dmp

memory/2208-27-0x00000000008E0000-0x00000000008F6000-memory.dmp

memory/2668-29-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

memory/636-31-0x0000000000360000-0x0000000000376000-memory.dmp

memory/2336-33-0x0000000000F40000-0x0000000000F56000-memory.dmp

memory/1584-35-0x00000000012C0000-0x00000000012D6000-memory.dmp

memory/1724-38-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2172-40-0x0000000001140000-0x0000000001156000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:23

Platform

win10v2004-20240508-en

Max time kernel

1198s

Max time network

1186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/452-0-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

memory/452-1-0x0000000000490000-0x00000000004A6000-memory.dmp

memory/452-6-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/452-7-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

memory/452-8-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4588-11-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/4588-13-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win10v2004-20240508-en

Max time kernel

1183s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/4220-0-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmp

memory/4220-1-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/4220-6-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2152-9-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

memory/4220-10-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

memory/2152-12-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:27

Platform

win7-20240508-en

Max time kernel

1185s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2488 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2252 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2252 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2252 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2488 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {62713848-B2D6-4EAC-A610-A2A679A37DCE} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2976-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2976-1-0x0000000000920000-0x0000000000936000-memory.dmp

memory/2976-6-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

memory/2976-7-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2976-8-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2952-12-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2008-15-0x0000000000F30000-0x0000000000F46000-memory.dmp

memory/2416-17-0x0000000001190000-0x00000000011A6000-memory.dmp

memory/1216-21-0x0000000001370000-0x0000000001386000-memory.dmp

memory/2252-27-0x00000000013E0000-0x00000000013F6000-memory.dmp

memory/1540-34-0x00000000000E0000-0x00000000000F6000-memory.dmp

memory/2784-36-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

memory/2236-39-0x0000000000D20000-0x0000000000D36000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:30

Platform

win10v2004-20240508-en

Max time kernel

1186s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/1276-0-0x00007FFDCF893000-0x00007FFDCF895000-memory.dmp

memory/1276-1-0x0000000000050000-0x0000000000066000-memory.dmp

memory/1276-6-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4896-9-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp

memory/4896-11-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp

memory/1276-12-0x00007FFDCF890000-0x00007FFDD0351000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:15

Platform

win7-20240221-en

Max time kernel

1184s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2336 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2336 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 956 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 956 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {988D57BF-9417-4603-9857-09B98F1D2144} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2336-0-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp

memory/2336-1-0x00000000000A0000-0x00000000000B6000-memory.dmp

memory/2336-6-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

memory/2336-7-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp

memory/2336-8-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2616-13-0x00000000008E0000-0x00000000008F6000-memory.dmp

memory/2920-15-0x00000000009D0000-0x00000000009E6000-memory.dmp

memory/796-17-0x0000000000210000-0x0000000000226000-memory.dmp

memory/2124-19-0x00000000009E0000-0x00000000009F6000-memory.dmp

memory/268-21-0x0000000000AF0000-0x0000000000B06000-memory.dmp

memory/1272-23-0x0000000000270000-0x0000000000286000-memory.dmp

memory/2968-25-0x0000000001360000-0x0000000001376000-memory.dmp

memory/1404-31-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/808-33-0x0000000000F10000-0x0000000000F26000-memory.dmp

memory/2172-35-0x0000000001010000-0x0000000001026000-memory.dmp

memory/1708-37-0x00000000001B0000-0x00000000001C6000-memory.dmp

memory/2860-39-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/3012-41-0x0000000001310000-0x0000000001326000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win7-20240221-en

Max time kernel

1199s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2096 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2096 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1688 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F06742FF-F007-49D4-8BE9-D462E7564B1C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2096-0-0x000007FEF5603000-0x000007FEF5604000-memory.dmp

memory/2096-1-0x0000000001240000-0x0000000001256000-memory.dmp

memory/2096-6-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

memory/2096-7-0x000007FEF5603000-0x000007FEF5604000-memory.dmp

memory/2096-8-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2444-12-0x0000000000180000-0x0000000000196000-memory.dmp

memory/2196-15-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

memory/1984-17-0x0000000001040000-0x0000000001056000-memory.dmp

memory/2828-19-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/988-21-0x0000000000E90000-0x0000000000EA6000-memory.dmp

memory/384-24-0x00000000013D0000-0x00000000013E6000-memory.dmp

memory/3068-26-0x00000000001A0000-0x00000000001B6000-memory.dmp

memory/2104-28-0x0000000001120000-0x0000000001136000-memory.dmp

memory/1624-31-0x00000000003B0000-0x00000000003C6000-memory.dmp

memory/628-33-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/484-35-0x00000000010B0000-0x00000000010C6000-memory.dmp

memory/2660-40-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/1648-42-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/2796-44-0x0000000000E80000-0x0000000000E96000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:25

Platform

win7-20240221-en

Max time kernel

1183s

Max time network

1188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1004 wrote to memory of 1552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1412 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1412 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1004 wrote to memory of 1412 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6C3307CB-478F-4039-88C7-64349F75E996} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1308-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

memory/1308-1-0x0000000001170000-0x0000000001186000-memory.dmp

memory/1308-6-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1308-7-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

memory/1308-8-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1552-12-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

memory/1596-17-0x00000000012F0000-0x0000000001306000-memory.dmp

memory/1812-26-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2492-28-0x00000000010B0000-0x00000000010C6000-memory.dmp

memory/2136-30-0x00000000011E0000-0x00000000011F6000-memory.dmp

memory/2984-32-0x0000000001260000-0x0000000001276000-memory.dmp

memory/2316-36-0x0000000000100000-0x0000000000116000-memory.dmp

memory/2576-38-0x0000000000910000-0x0000000000926000-memory.dmp

memory/1412-40-0x0000000001220000-0x0000000001236000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:25

Platform

win10v2004-20240426-en

Max time kernel

1195s

Max time network

1201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3476-0-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp

memory/3476-1-0x0000000000780000-0x0000000000796000-memory.dmp

memory/3476-6-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3476-9-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

memory/1452-10-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

memory/1452-12-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win10v2004-20240508-en

Max time kernel

1195s

Max time network

1210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3596,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4312,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2348-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

memory/2348-1-0x0000000000E30000-0x0000000000E46000-memory.dmp

memory/2348-6-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/2348-7-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/536-10-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/536-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:14

Platform

win10v2004-20240426-en

Max time kernel

1193s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2720-0-0x0000000000910000-0x0000000000926000-memory.dmp

memory/2720-1-0x00007FFD82A03000-0x00007FFD82A05000-memory.dmp

memory/2720-6-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp

memory/2720-7-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3400-10-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp

memory/3400-12-0x00007FFD82A00000-0x00007FFD834C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win7-20240221-en

Max time kernel

1196s

Max time network

1201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2456 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 1028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2456 wrote to memory of 2940 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FA601A1F-8EBA-4849-B05F-6162474C8C27} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2192-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2192-1-0x0000000000D00000-0x0000000000D16000-memory.dmp

memory/2192-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2192-7-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2192-8-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2916-12-0x0000000001380000-0x0000000001396000-memory.dmp

memory/656-16-0x00000000000E0000-0x00000000000F6000-memory.dmp

memory/2320-18-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/2800-21-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1644-23-0x0000000000D10000-0x0000000000D26000-memory.dmp

memory/1704-25-0x0000000000D20000-0x0000000000D36000-memory.dmp

memory/1624-27-0x00000000001B0000-0x00000000001C6000-memory.dmp

memory/1652-29-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/2148-32-0x0000000001220000-0x0000000001236000-memory.dmp

memory/1212-36-0x00000000012F0000-0x0000000001306000-memory.dmp

memory/1028-39-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2152-41-0x0000000001130000-0x0000000001146000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:30

Platform

win10v2004-20240426-en

Max time kernel

1199s

Max time network

1187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 udp
US 147.185.221.19:23638 tcp

Files

memory/4048-0-0x00007FF91B483000-0x00007FF91B485000-memory.dmp

memory/4048-1-0x0000000000BF0000-0x0000000000C06000-memory.dmp

memory/4048-6-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp

memory/4048-7-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2444-10-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp

memory/2444-12-0x00007FF91B480000-0x00007FF91BF41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:30

Platform

win7-20240220-en

Max time kernel

1193s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2088 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2088 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1268 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1268 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D8A1A093-025C-44D9-A633-6778DAD6A178} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2088-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

memory/2088-1-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

memory/2088-6-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2624-10-0x0000000000FF0000-0x0000000001006000-memory.dmp

memory/2088-11-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

memory/2088-12-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2080-19-0x0000000000160000-0x0000000000176000-memory.dmp

memory/1020-21-0x0000000001000000-0x0000000001016000-memory.dmp

memory/3028-24-0x0000000000030000-0x0000000000046000-memory.dmp

memory/2820-26-0x0000000001300000-0x0000000001316000-memory.dmp

memory/844-35-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/2548-37-0x0000000000200000-0x0000000000216000-memory.dmp

memory/2968-39-0x0000000000E30000-0x0000000000E46000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win10v2004-20240426-en

Max time kernel

1195s

Max time network

1200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/4048-0-0x00007FFD98823000-0x00007FFD98825000-memory.dmp

memory/4048-1-0x0000000000700000-0x0000000000716000-memory.dmp

memory/4048-6-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp

memory/4048-7-0x00007FFD98823000-0x00007FFD98825000-memory.dmp

memory/4048-8-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2016-12-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp

memory/2016-14-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:07

Platform

win7-20240221-en

Max time kernel

835s

Max time network

836s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2884 wrote to memory of 1380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2884 wrote to memory of 1880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0DA5747F-BDC0-43F9-BCFC-F86A5AA81521} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DD4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2776-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

memory/2776-1-0x0000000000A90000-0x0000000000AA6000-memory.dmp

memory/2776-6-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2776-7-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

memory/2776-8-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1380-12-0x0000000001110000-0x0000000001126000-memory.dmp

memory/1880-17-0x00000000011E0000-0x00000000011F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2DD4.tmp.bat

MD5 e0bc631be86028bd54091fa15291bdc7
SHA1 62a0a97ee18e48b3f81e5e92f25a540cee227194
SHA256 3171be18aa7c5dfeadf9b74c37ec773fdb3ae4419d694ff79c0b59e8ff804439
SHA512 b7ea227c712cb67ce8d783faa8c2400a67a9cda1e3f94568e24ad2d57bccb3222ec27650e574ffa086d0281f62f4d02493a50a5600e3eb05419b7a0c3107d7d9

memory/2776-28-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:10

Platform

win10v2004-20240426-en

Max time kernel

454s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1040 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1040 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1040 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1040 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 4628 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4628 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp845E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1040-0-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp

memory/1040-1-0x0000000000540000-0x0000000000556000-memory.dmp

memory/1040-6-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

memory/1040-7-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp

memory/1040-8-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4812-11-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

memory/4812-13-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp845E.tmp.bat

MD5 c2838724695917f9531c99ce14ffe23c
SHA1 8df64f26a9a5b2d7838668162998773afa64cd67
SHA256 e4a4803a1754fc041efb08e2b07921ba350cba979b519905e267a10ab03240d9
SHA512 30b86b40988dee6784a56d038a178f5fe1a64a28133203eb9a51179b9aea6e30c38214d3ce4fad4ce071d83349298bdbd207088d0c0e1a79f3ea575f125ce5bd

memory/1040-21-0x00007FF9335B0000-0x00007FF934071000-memory.dmp