Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-jlxdmaed5v
Target a ton of ya.zip
SHA256 e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Threat Level: Known bad

The file a ton of ya.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm family

Detect Xworm Payload

Xworm

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:45

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:22

Platform

win7-20240215-en

Max time kernel

596s

Max time network

594s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 280 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 280 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 280 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2572 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7F6B6BCE-2A96-4536-A20A-672190C5B49C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/1200-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/1200-1-0x00000000008B0000-0x00000000008C6000-memory.dmp

memory/1200-6-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/1200-7-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/1200-8-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2168-12-0x0000000000100000-0x0000000000116000-memory.dmp

memory/280-15-0x00000000002A0000-0x00000000002B6000-memory.dmp

memory/2300-17-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

memory/1912-20-0x0000000001350000-0x0000000001366000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:32

Platform

win10v2004-20240508-en

Max time kernel

588s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/532-0-0x0000000000D50000-0x0000000000D66000-memory.dmp

memory/532-1-0x00007FF894C93000-0x00007FF894C95000-memory.dmp

memory/532-6-0x00007FF894C90000-0x00007FF895751000-memory.dmp

memory/532-7-0x00007FF894C90000-0x00007FF895751000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3156-10-0x00007FF894C90000-0x00007FF895751000-memory.dmp

memory/3156-12-0x00007FF894C90000-0x00007FF895751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:33

Platform

win10v2004-20240508-en

Max time kernel

573s

Max time network

590s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/3592-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/3592-1-0x0000000000C70000-0x0000000000C86000-memory.dmp

memory/3592-6-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/364-9-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/364-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/3592-12-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/3592-13-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:35

Platform

win10v2004-20240426-en

Max time kernel

581s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/4148-0-0x00007FF8C5923000-0x00007FF8C5925000-memory.dmp

memory/4148-1-0x0000000000E70000-0x0000000000E86000-memory.dmp

memory/4148-6-0x00007FF8C5920000-0x00007FF8C63E1000-memory.dmp

memory/4148-7-0x00007FF8C5923000-0x00007FF8C5925000-memory.dmp

memory/4148-8-0x00007FF8C5920000-0x00007FF8C63E1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5608-11-0x00007FF8C5920000-0x00007FF8C63E1000-memory.dmp

memory/5608-13-0x00007FF8C5920000-0x00007FF8C63E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:36

Platform

win10v2004-20240508-en

Max time kernel

592s

Max time network

573s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/404-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

memory/404-1-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/404-6-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/404-7-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1376-10-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1376-12-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:31

Platform

win10v2004-20240426-en

Max time kernel

594s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3864-1-0x00007FFE3EC13000-0x00007FFE3EC15000-memory.dmp

memory/3864-0-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

memory/3864-6-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

memory/3864-7-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2748-10-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

memory/2748-12-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:34

Platform

win10v2004-20240426-en

Max time kernel

583s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1840-0-0x00007FFA50993000-0x00007FFA50995000-memory.dmp

memory/1840-1-0x0000000000590000-0x00000000005A6000-memory.dmp

memory/1840-6-0x00007FFA50990000-0x00007FFA51451000-memory.dmp

memory/1840-7-0x00007FFA50990000-0x00007FFA51451000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2608-10-0x00007FFA50990000-0x00007FFA51451000-memory.dmp

memory/2608-12-0x00007FFA50990000-0x00007FFA51451000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:34

Platform

win7-20240221-en

Max time kernel

600s

Max time network

566s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2560 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 2796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2560 wrote to memory of 1832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {47B7D8EA-8F4C-4883-99A2-69DB4C00E20F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 udp
US 147.185.221.19:23638 tcp

Files

memory/1908-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/1908-1-0x0000000000B60000-0x0000000000B76000-memory.dmp

memory/1908-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1908-7-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2392-11-0x0000000001260000-0x0000000001276000-memory.dmp

memory/1908-12-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:34

Platform

win10v2004-20240508-en

Max time kernel

595s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3816,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2460-1-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/2460-0-0x00007FFA2FC73000-0x00007FFA2FC75000-memory.dmp

memory/2460-6-0x00007FFA2FC70000-0x00007FFA30731000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2460-9-0x00007FFA2FC73000-0x00007FFA2FC75000-memory.dmp

memory/2116-10-0x00007FFA2FC70000-0x00007FFA30731000-memory.dmp

memory/2116-12-0x00007FFA2FC70000-0x00007FFA30731000-memory.dmp

memory/2460-13-0x00007FFA2FC70000-0x00007FFA30731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win7-20240221-en

Max time kernel

595s

Max time network

575s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2080 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2080 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F4130778-963B-4957-BC5C-22E16DE2BE70} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp

Files

memory/2164-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

memory/2164-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp

memory/2164-6-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2164-7-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

memory/2164-8-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1452-12-0x0000000000050000-0x0000000000066000-memory.dmp

memory/1604-15-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/1788-18-0x0000000000D70000-0x0000000000D86000-memory.dmp

memory/1648-20-0x0000000000140000-0x0000000000156000-memory.dmp

memory/2672-22-0x0000000001090000-0x00000000010A6000-memory.dmp

memory/2928-24-0x0000000000210000-0x0000000000226000-memory.dmp

memory/2432-26-0x0000000000F80000-0x0000000000F96000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win10v2004-20240426-en

Max time kernel

599s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/4676-0-0x00007FF920D63000-0x00007FF920D65000-memory.dmp

memory/4676-1-0x0000000000170000-0x0000000000186000-memory.dmp

memory/4676-6-0x00007FF920D60000-0x00007FF921821000-memory.dmp

memory/4676-7-0x00007FF920D63000-0x00007FF920D65000-memory.dmp

memory/4676-8-0x00007FF920D60000-0x00007FF921821000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/836-11-0x00007FF920D60000-0x00007FF921821000-memory.dmp

memory/836-13-0x00007FF920D60000-0x00007FF921821000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:31

Platform

win7-20240215-en

Max time kernel

583s

Max time network

592s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2720 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2720 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CD469096-C956-45A1-932A-59EDA53A5024} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2956-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

memory/2956-1-0x0000000001190000-0x00000000011A6000-memory.dmp

memory/2956-6-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2912-10-0x00000000011D0000-0x00000000011E6000-memory.dmp

memory/2956-11-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

memory/2956-12-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2328-15-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2116-17-0x0000000000E10000-0x0000000000E26000-memory.dmp

memory/1568-23-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2028-25-0x0000000000B00000-0x0000000000B16000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:35

Platform

win10v2004-20240508-en

Max time kernel

591s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1332-0-0x0000000000340000-0x0000000000356000-memory.dmp

memory/1332-1-0x00007FFEFAF73000-0x00007FFEFAF75000-memory.dmp

memory/1332-6-0x00007FFEFAF70000-0x00007FFEFBA31000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4524-9-0x00007FFEFAF70000-0x00007FFEFBA31000-memory.dmp

memory/4524-11-0x00007FFEFAF70000-0x00007FFEFBA31000-memory.dmp

memory/1332-12-0x00007FFEFAF70000-0x00007FFEFBA31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:36

Platform

win7-20240419-en

Max time kernel

599s

Max time network

585s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2128 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2128 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2480 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2480 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {ABC4C7A3-256F-4D77-A1AE-592FD633B441} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2128-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/2128-1-0x0000000000390000-0x00000000003A6000-memory.dmp

memory/2128-6-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2128-7-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/2128-8-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2920-12-0x0000000000FF0000-0x0000000001006000-memory.dmp

memory/1500-15-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/1676-18-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

memory/2228-20-0x0000000000BF0000-0x0000000000C06000-memory.dmp

memory/2780-23-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/1116-25-0x0000000000E30000-0x0000000000E46000-memory.dmp

memory/528-27-0x0000000000280000-0x0000000000296000-memory.dmp

memory/1768-29-0x00000000008A0000-0x00000000008B6000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win7-20240508-en

Max time kernel

598s

Max time network

592s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2460 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9A53350F-ED45-4402-8C5A-69992E39878D} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2168-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

memory/2168-1-0x0000000000240000-0x0000000000256000-memory.dmp

memory/2168-6-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2168-7-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

memory/2168-8-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1944-12-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2848-15-0x0000000000F10000-0x0000000000F26000-memory.dmp

memory/2924-18-0x0000000000080000-0x0000000000096000-memory.dmp

memory/1696-20-0x0000000000160000-0x0000000000176000-memory.dmp

memory/2792-22-0x0000000000850000-0x0000000000866000-memory.dmp

memory/1328-24-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/2220-27-0x00000000002E0000-0x00000000002F6000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:33

Platform

win7-20240419-en

Max time kernel

589s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2836 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0332839F-A1AF-4247-BD95-01888FA95731} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2432-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2432-1-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2432-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2432-7-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2776-11-0x0000000000050000-0x0000000000066000-memory.dmp

memory/2432-12-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2024-15-0x0000000000E10000-0x0000000000E26000-memory.dmp

memory/1844-18-0x00000000012D0000-0x00000000012E6000-memory.dmp

memory/2436-20-0x00000000003F0000-0x0000000000406000-memory.dmp

memory/2408-22-0x00000000001D0000-0x00000000001E6000-memory.dmp

memory/2988-24-0x0000000000C30000-0x0000000000C46000-memory.dmp

memory/1820-26-0x0000000001060000-0x0000000001076000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:34

Platform

win7-20240215-en

Max time kernel

583s

Max time network

596s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2964 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2964 wrote to memory of 1076 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9D1EE57F-530E-45DA-8E79-14560FADE3C9} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1772-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/1772-1-0x00000000011B0000-0x00000000011C6000-memory.dmp

memory/1772-6-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2764-10-0x0000000001010000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1772-11-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/1772-12-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/1972-15-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2092-17-0x0000000000B60000-0x0000000000B76000-memory.dmp

memory/828-19-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/568-21-0x0000000001150000-0x0000000001166000-memory.dmp

memory/2116-24-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/1920-26-0x0000000001290000-0x00000000012A6000-memory.dmp

memory/3032-28-0x0000000000100000-0x0000000000116000-memory.dmp

memory/1076-30-0x0000000000E00000-0x0000000000E16000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win7-20240220-en

Max time kernel

575s

Max time network

585s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2688 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2688 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A181DC95-7723-498E-B83F-F065B77EDB8E} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2040-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

memory/2040-1-0x00000000008D0000-0x00000000008E6000-memory.dmp

memory/2040-6-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/892-10-0x00000000012F0000-0x0000000001306000-memory.dmp

memory/2040-11-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

memory/2040-12-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

memory/2792-16-0x00000000013A0000-0x00000000013B6000-memory.dmp

memory/828-19-0x00000000001A0000-0x00000000001B6000-memory.dmp

memory/2220-21-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/2620-23-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/1684-25-0x0000000000370000-0x0000000000386000-memory.dmp

memory/1964-27-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2092-29-0x0000000000070000-0x0000000000086000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:34

Platform

win7-20240508-en

Max time kernel

591s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2484 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2484 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B927F45F-B8FE-42DD-A87F-C7A8687B8DB9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/1068-0-0x000007FEF6053000-0x000007FEF6054000-memory.dmp

memory/1068-1-0x0000000001170000-0x0000000001186000-memory.dmp

memory/1068-6-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

memory/1068-7-0x000007FEF6053000-0x000007FEF6054000-memory.dmp

memory/1068-8-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2556-12-0x0000000000E20000-0x0000000000E36000-memory.dmp

memory/852-18-0x0000000000100000-0x0000000000116000-memory.dmp

memory/2588-20-0x0000000000F20000-0x0000000000F36000-memory.dmp

memory/1912-22-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/924-24-0x0000000000080000-0x0000000000096000-memory.dmp

memory/1236-26-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:35

Platform

win7-20240221-en

Max time kernel

598s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0B54CDA1-FE89-4187-8775-411B62055F88} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1084-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

memory/1084-1-0x0000000000D00000-0x0000000000D16000-memory.dmp

memory/1084-6-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1084-7-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2692-11-0x0000000000220000-0x0000000000236000-memory.dmp

memory/1084-12-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1884-15-0x0000000001170000-0x0000000001186000-memory.dmp

memory/2716-18-0x0000000000310000-0x0000000000326000-memory.dmp

memory/2748-20-0x0000000000A90000-0x0000000000AA6000-memory.dmp

memory/2316-22-0x0000000000D60000-0x0000000000D76000-memory.dmp

memory/2776-24-0x00000000001B0000-0x00000000001C6000-memory.dmp

memory/2564-26-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/1436-28-0x0000000000050000-0x0000000000066000-memory.dmp

memory/780-30-0x0000000000990000-0x00000000009A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:23

Platform

win10v2004-20240508-en

Max time kernel

598s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3836,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1532-0-0x00007FFCC2FB3000-0x00007FFCC2FB5000-memory.dmp

memory/1532-1-0x00000000008A0000-0x00000000008B6000-memory.dmp

memory/1532-6-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3952-9-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

memory/3952-11-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

memory/1532-12-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:25

Platform

win10v2004-20240508-en

Max time kernel

589s

Max time network

597s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/4564-1-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp

memory/4564-0-0x0000000000720000-0x0000000000736000-memory.dmp

memory/4564-6-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2452-9-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

memory/4564-10-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

memory/2452-12-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:31

Platform

win7-20231129-en

Max time kernel

599s

Max time network

597s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2244 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2244 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2156 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1672 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2156 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9CF60FE1-5E11-43E4-9162-0227C9BB69C3} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2244-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2244-1-0x0000000000140000-0x0000000000156000-memory.dmp

memory/2244-6-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2244-7-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2244-8-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1956-12-0x0000000000840000-0x0000000000856000-memory.dmp

memory/1440-15-0x0000000000230000-0x0000000000246000-memory.dmp

memory/676-17-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/1672-19-0x0000000000F60000-0x0000000000F76000-memory.dmp

memory/1776-21-0x0000000000300000-0x0000000000316000-memory.dmp

memory/2604-23-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/776-25-0x0000000000210000-0x0000000000226000-memory.dmp

memory/2852-27-0x0000000000800000-0x0000000000816000-memory.dmp

memory/1660-29-0x00000000013C0000-0x00000000013D6000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:32

Platform

win7-20231129-en

Max time kernel

593s

Max time network

594s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2216 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2216 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2460 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EAA4BE24-44BA-464D-A9A3-1F4F6F945A54} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2216-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

memory/2216-1-0x0000000000940000-0x0000000000956000-memory.dmp

memory/2216-6-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

memory/2216-7-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

memory/2216-8-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2540-12-0x00000000010C0000-0x00000000010D6000-memory.dmp

memory/2640-15-0x0000000001360000-0x0000000001376000-memory.dmp

memory/2088-19-0x0000000000060000-0x0000000000076000-memory.dmp

memory/2656-21-0x0000000000250000-0x0000000000266000-memory.dmp

memory/2788-23-0x0000000001110000-0x0000000001126000-memory.dmp

memory/1868-25-0x0000000000010000-0x0000000000026000-memory.dmp

memory/268-27-0x0000000000E80000-0x0000000000E96000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:35

Platform

win10v2004-20240508-en

Max time kernel

593s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/5096-0-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/5096-1-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp

memory/5096-6-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2380-9-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp

memory/5096-10-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp

memory/2380-12-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win7-20240221-en

Max time kernel

593s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2412 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1400 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 1936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2412 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A3E14A1E-35C8-4F5A-9071-F7EA42BF3984} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/1300-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

memory/1300-1-0x0000000001250000-0x0000000001266000-memory.dmp

memory/1300-6-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1300-7-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

memory/1300-8-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2376-12-0x0000000001390000-0x00000000013A6000-memory.dmp

memory/2264-22-0x0000000000300000-0x0000000000316000-memory.dmp

memory/2004-24-0x00000000000D0000-0x00000000000E6000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:35

Platform

win7-20240221-en

Max time kernel

589s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2968 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2968 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2812 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1120 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2812 wrote to memory of 1140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1351A4B8-89DD-49D2-AF66-3A02A75705C6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2968-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2968-1-0x0000000000DF0000-0x0000000000E06000-memory.dmp

memory/2968-6-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3008-10-0x0000000000140000-0x0000000000156000-memory.dmp

memory/2968-11-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2968-12-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/1764-15-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2244-17-0x0000000000900000-0x0000000000916000-memory.dmp

memory/1756-19-0x00000000012F0000-0x0000000001306000-memory.dmp

memory/2956-23-0x00000000002A0000-0x00000000002B6000-memory.dmp

memory/404-25-0x00000000012A0000-0x00000000012B6000-memory.dmp

memory/2128-27-0x00000000013D0000-0x00000000013E6000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:24

Platform

win10v2004-20240508-en

Max time kernel

594s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1720,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/860-0-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/860-1-0x0000000000310000-0x0000000000326000-memory.dmp

memory/860-6-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/860-7-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/860-8-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4652-11-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/4652-13-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:25

Platform

win7-20240508-en

Max time kernel

577s

Max time network

587s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 3068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2616 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {115DEEB8-4D27-4ACF-9362-06650A2A66D9} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2208-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

memory/2208-1-0x0000000000B50000-0x0000000000B66000-memory.dmp

memory/2208-6-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2208-7-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

memory/2208-8-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2864-12-0x0000000001320000-0x0000000001336000-memory.dmp

memory/2164-18-0x0000000000350000-0x0000000000366000-memory.dmp

memory/2616-20-0x0000000001290000-0x00000000012A6000-memory.dmp

memory/2836-22-0x00000000013B0000-0x00000000013C6000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:26

Platform

win10v2004-20240508-en

Max time kernel

598s

Max time network

586s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp

Files

memory/4984-0-0x00007FF9A4673000-0x00007FF9A4675000-memory.dmp

memory/4984-1-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

memory/4984-6-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

memory/4984-7-0x00007FF9A4673000-0x00007FF9A4675000-memory.dmp

memory/4984-8-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5004-11-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

memory/5004-13-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:27

Platform

win10v2004-20240426-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/5636-0-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/5636-1-0x00007FFBE3AE3000-0x00007FFBE3AE5000-memory.dmp

memory/5636-6-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

memory/5636-7-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4056-11-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

memory/4056-13-0x00007FFBE3AE0000-0x00007FFBE45A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:45

Reported

2024-06-01 08:32

Platform

win10v2004-20240226-en

Max time kernel

596s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:80 www.microsoft.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 28.190.21.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 166.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.251.17.2.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/5076-0-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

memory/5076-1-0x0000000000770000-0x0000000000786000-memory.dmp

memory/5076-6-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/5076-7-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

memory/5076-8-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3792-11-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/3792-13-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1