Analysis Overview
SHA256
e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Threat Level: Known bad
The file a ton of ya.zip was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Executes dropped EXE
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:46
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win10v2004-20240508-en
Max time kernel
1195s
Max time network
1200s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1192 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/1192-0-0x00007FFA19513000-0x00007FFA19515000-memory.dmp
memory/1192-1-0x0000000000500000-0x0000000000516000-memory.dmp
memory/1192-6-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp
memory/1192-7-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3476-10-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp
memory/3476-12-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win10v2004-20240508-en
Max time kernel
1196s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4444 wrote to memory of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/4444-0-0x0000000000EF0000-0x0000000000F06000-memory.dmp
memory/4444-1-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp
memory/4444-6-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp
memory/4444-7-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp
memory/4444-8-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win7-20240508-en
Max time kernel
1174s
Max time network
1183s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {76725A0A-BB67-4767-AACA-BFA71D2DCA66} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/2008-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp
memory/2008-1-0x00000000003F0000-0x0000000000406000-memory.dmp
memory/2008-6-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp
memory/2008-7-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp
memory/2008-8-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2756-12-0x0000000001210000-0x0000000001226000-memory.dmp
memory/2092-16-0x0000000000240000-0x0000000000256000-memory.dmp
memory/644-18-0x0000000000C50000-0x0000000000C66000-memory.dmp
memory/2032-20-0x0000000000370000-0x0000000000386000-memory.dmp
memory/2704-22-0x0000000001330000-0x0000000001346000-memory.dmp
memory/2432-27-0x0000000000340000-0x0000000000356000-memory.dmp
memory/2924-29-0x00000000009C0000-0x00000000009D6000-memory.dmp
memory/2844-31-0x0000000000A40000-0x0000000000A56000-memory.dmp
memory/3064-33-0x0000000000020000-0x0000000000036000-memory.dmp
memory/272-36-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/2000-38-0x00000000010C0000-0x00000000010D6000-memory.dmp
memory/2756-42-0x00000000011D0000-0x00000000011E6000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:09
Platform
win7-20240508-en
Max time kernel
1198s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {1FBA8662-14E1-46E2-9187-DE21AA04780D} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/1872-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp
memory/1872-1-0x0000000000B50000-0x0000000000B66000-memory.dmp
memory/1872-6-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/1872-7-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp
memory/1872-8-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1504-13-0x0000000000BB0000-0x0000000000BC6000-memory.dmp
memory/2104-18-0x0000000000100000-0x0000000000116000-memory.dmp
memory/2468-20-0x0000000000C70000-0x0000000000C86000-memory.dmp
memory/604-22-0x00000000011D0000-0x00000000011E6000-memory.dmp
memory/1664-25-0x0000000000170000-0x0000000000186000-memory.dmp
memory/1876-27-0x0000000000F90000-0x0000000000FA6000-memory.dmp
memory/1900-30-0x0000000001120000-0x0000000001136000-memory.dmp
memory/2068-32-0x0000000000210000-0x0000000000226000-memory.dmp
memory/2792-34-0x0000000000C00000-0x0000000000C16000-memory.dmp
memory/1192-36-0x0000000001240000-0x0000000001256000-memory.dmp
memory/2164-39-0x0000000001310000-0x0000000001326000-memory.dmp
memory/2364-41-0x0000000001350000-0x0000000001366000-memory.dmp
memory/2112-43-0x00000000013B0000-0x00000000013C6000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win7-20240508-en
Max time kernel
1191s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9E07370E-E4B8-4AB2-9B3F-C91CA87F04FC} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2180-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2180-1-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2180-6-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2920-10-0x0000000000F60000-0x0000000000F76000-memory.dmp
memory/2180-11-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2180-12-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/1436-16-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/1372-18-0x0000000000F80000-0x0000000000F96000-memory.dmp
memory/1424-20-0x00000000013E0000-0x00000000013F6000-memory.dmp
memory/2960-22-0x00000000002E0000-0x00000000002F6000-memory.dmp
memory/2588-24-0x00000000002A0000-0x00000000002B6000-memory.dmp
memory/2128-26-0x0000000000900000-0x0000000000916000-memory.dmp
memory/2308-29-0x00000000001C0000-0x00000000001D6000-memory.dmp
memory/864-31-0x0000000000EF0000-0x0000000000F06000-memory.dmp
memory/2444-33-0x00000000013C0000-0x00000000013D6000-memory.dmp
memory/1868-41-0x0000000000360000-0x0000000000376000-memory.dmp
memory/548-43-0x0000000000350000-0x0000000000366000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win7-20240215-en
Max time kernel
1194s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {83A03422-93CE-4946-92C5-A5AF384EA10B} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2220-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2220-1-0x0000000000CD0000-0x0000000000CE6000-memory.dmp
memory/2220-6-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2220-7-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2220-8-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2376-12-0x0000000000D30000-0x0000000000D46000-memory.dmp
memory/1972-16-0x00000000000C0000-0x00000000000D6000-memory.dmp
memory/2992-18-0x0000000000ED0000-0x0000000000EE6000-memory.dmp
memory/2092-20-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/2128-22-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1372-24-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
memory/1656-26-0x0000000000190000-0x00000000001A6000-memory.dmp
memory/2184-28-0x0000000000BE0000-0x0000000000BF6000-memory.dmp
memory/1696-30-0x0000000000D90000-0x0000000000DA6000-memory.dmp
memory/3020-32-0x00000000013C0000-0x00000000013D6000-memory.dmp
memory/2536-34-0x0000000000080000-0x0000000000096000-memory.dmp
memory/1976-36-0x0000000000A10000-0x0000000000A26000-memory.dmp
memory/2032-38-0x0000000000310000-0x0000000000326000-memory.dmp
memory/2196-40-0x0000000000AA0000-0x0000000000AB6000-memory.dmp
memory/1212-42-0x0000000000BB0000-0x0000000000BC6000-memory.dmp
memory/572-44-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
memory/2588-46-0x0000000000DF0000-0x0000000000E06000-memory.dmp
memory/1456-49-0x00000000001E0000-0x00000000001F6000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win10v2004-20240508-en
Max time kernel
1181s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3948 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3948 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3948-1-0x0000000000C30000-0x0000000000C46000-memory.dmp
memory/3948-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp
memory/3948-6-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/224-9-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/3948-10-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp
memory/224-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/3948-13-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:39
Platform
win7-20240220-en
Max time kernel
1175s
Max time network
1185s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {F9716C2E-F4FE-4469-B82E-A0FB2F7B4D4A} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3012-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/3012-1-0x0000000000900000-0x0000000000916000-memory.dmp
memory/3012-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2384-10-0x00000000003A0000-0x00000000003B6000-memory.dmp
memory/3012-11-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/3012-12-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/1512-15-0x0000000000370000-0x0000000000386000-memory.dmp
memory/2696-17-0x0000000000F80000-0x0000000000F96000-memory.dmp
memory/824-23-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/1420-33-0x0000000000070000-0x0000000000086000-memory.dmp
memory/1436-35-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2384-37-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/944-39-0x00000000002F0000-0x0000000000306000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win10v2004-20240508-en
Max time kernel
1180s
Max time network
1196s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3212 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3212 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3212-0-0x0000000000940000-0x0000000000956000-memory.dmp
memory/3212-1-0x00007FFE97363000-0x00007FFE97365000-memory.dmp
memory/3212-6-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3212-9-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/644-10-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/644-12-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win10v2004-20240426-en
Max time kernel
1199s
Max time network
1178s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2960 wrote to memory of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp |
Files
memory/2960-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp
memory/2960-1-0x0000000000960000-0x0000000000976000-memory.dmp
memory/2960-6-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
memory/2960-7-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4616-11-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
memory/4616-13-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win10v2004-20240426-en
Max time kernel
1191s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3616 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3616-0-0x00007FFF27DA3000-0x00007FFF27DA5000-memory.dmp
memory/3616-1-0x00000000006D0000-0x00000000006E6000-memory.dmp
memory/3616-6-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp
memory/3616-7-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4452-10-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp
memory/4452-12-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win10v2004-20240226-en
Max time kernel
1194s
Max time network
1202s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3452 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3452 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.190.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 81.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3452-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp
memory/3452-1-0x0000000000270000-0x0000000000286000-memory.dmp
memory/3452-6-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/3452-7-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4184-10-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/4184-12-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win7-20240220-en
Max time kernel
1198s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {7BD54870-1CA9-4483-AE0B-A9097C783A9D} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2784-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2784-1-0x00000000012B0000-0x00000000012C6000-memory.dmp
memory/2784-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
memory/2784-7-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2784-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3048-12-0x0000000000280000-0x0000000000296000-memory.dmp
memory/1932-15-0x00000000002B0000-0x00000000002C6000-memory.dmp
memory/1136-17-0x0000000000CF0000-0x0000000000D06000-memory.dmp
memory/1780-19-0x0000000001270000-0x0000000001286000-memory.dmp
memory/2692-23-0x0000000000360000-0x0000000000376000-memory.dmp
memory/2504-25-0x0000000000990000-0x00000000009A6000-memory.dmp
memory/708-27-0x00000000010F0000-0x0000000001106000-memory.dmp
memory/1964-29-0x00000000012A0000-0x00000000012B6000-memory.dmp
memory/3032-36-0x00000000002D0000-0x00000000002E6000-memory.dmp
memory/308-38-0x0000000001180000-0x0000000001196000-memory.dmp
memory/1532-41-0x0000000000010000-0x0000000000026000-memory.dmp
memory/3016-43-0x00000000009A0000-0x00000000009B6000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win7-20240508-en
Max time kernel
1196s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4B564018-E058-4480-985E-640168E05067} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/1936-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/1936-1-0x00000000000C0000-0x00000000000D6000-memory.dmp
memory/1936-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/1936-7-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/1936-8-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2716-12-0x0000000000200000-0x0000000000216000-memory.dmp
memory/1864-15-0x0000000000830000-0x0000000000846000-memory.dmp
memory/2216-18-0x0000000000CD0000-0x0000000000CE6000-memory.dmp
memory/2084-20-0x0000000000E80000-0x0000000000E96000-memory.dmp
memory/2840-23-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/1520-25-0x0000000000A60000-0x0000000000A76000-memory.dmp
memory/972-28-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
memory/1884-33-0x00000000001A0000-0x00000000001B6000-memory.dmp
memory/292-35-0x0000000000D60000-0x0000000000D76000-memory.dmp
memory/652-38-0x0000000000EF0000-0x0000000000F06000-memory.dmp
memory/2392-41-0x0000000000190000-0x00000000001A6000-memory.dmp
memory/2656-43-0x0000000000980000-0x0000000000996000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:01
Platform
win10v2004-20240508-en
Max time kernel
1188s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4740 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4740 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/4740-0-0x00007FF841563000-0x00007FF841565000-memory.dmp
memory/4740-1-0x00000000003F0000-0x0000000000406000-memory.dmp
memory/4740-6-0x00007FF841560000-0x00007FF842021000-memory.dmp
memory/4740-7-0x00007FF841563000-0x00007FF841565000-memory.dmp
memory/4740-8-0x00007FF841560000-0x00007FF842021000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2756-12-0x00007FF841560000-0x00007FF842021000-memory.dmp
memory/2756-14-0x00007FF841560000-0x00007FF842021000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:09
Platform
win10v2004-20240426-en
Max time kernel
1199s
Max time network
1202s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2340 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/2340-0-0x0000000000CB0000-0x0000000000CC6000-memory.dmp
memory/2340-1-0x00007FFB54763000-0x00007FFB54765000-memory.dmp
memory/2340-6-0x00007FFB54760000-0x00007FFB55221000-memory.dmp
memory/2340-7-0x00007FFB54760000-0x00007FFB55221000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/748-10-0x00007FFB54760000-0x00007FFB55221000-memory.dmp
memory/748-13-0x00007FFB54760000-0x00007FFB55221000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:10
Platform
win10v2004-20240508-en
Max time kernel
1184s
Max time network
1193s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4904 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/4904-0-0x00007FFDB2F23000-0x00007FFDB2F25000-memory.dmp
memory/4904-1-0x0000000000E60000-0x0000000000E76000-memory.dmp
memory/4904-6-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp
memory/4904-7-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1356-10-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp
memory/1356-12-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win7-20231129-en
Max time kernel
1191s
Max time network
1195s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A6A32F6D-81CF-44DE-ADE3-7DC584D09303} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2044-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp
memory/2044-1-0x0000000000150000-0x0000000000166000-memory.dmp
memory/2044-6-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp
memory/2044-7-0x000007FEF5163000-0x000007FEF5164000-memory.dmp
memory/2044-8-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2492-12-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/1884-15-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
memory/2312-17-0x0000000001110000-0x0000000001126000-memory.dmp
memory/1668-19-0x0000000000320000-0x0000000000336000-memory.dmp
memory/3020-21-0x0000000000EE0000-0x0000000000EF6000-memory.dmp
memory/2984-25-0x00000000000D0000-0x00000000000E6000-memory.dmp
memory/384-27-0x0000000000310000-0x0000000000326000-memory.dmp
memory/1108-29-0x0000000001060000-0x0000000001076000-memory.dmp
memory/1124-35-0x0000000000020000-0x0000000000036000-memory.dmp
memory/1976-37-0x0000000000B20000-0x0000000000B36000-memory.dmp
memory/2848-40-0x0000000001160000-0x0000000001176000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:53
Platform
win10v2004-20240226-en
Max time kernel
1200s
Max time network
1202s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1372 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1372 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/1372-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp
memory/1372-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp
memory/1372-6-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3064-9-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
memory/3064-11-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
memory/1372-12-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp
memory/1372-13-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:01
Platform
win7-20240221-en
Max time kernel
1196s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {EBF6CFD3-15B6-4CD0-90C1-1683C33C74C6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2080-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2080-1-0x0000000000F40000-0x0000000000F56000-memory.dmp
memory/2080-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
memory/2080-7-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2080-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1444-13-0x00000000009C0000-0x00000000009D6000-memory.dmp
memory/872-17-0x0000000000B40000-0x0000000000B56000-memory.dmp
memory/2912-19-0x0000000000DC0000-0x0000000000DD6000-memory.dmp
memory/2564-21-0x0000000001220000-0x0000000001236000-memory.dmp
memory/2956-28-0x0000000000100000-0x0000000000116000-memory.dmp
memory/2004-30-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
memory/2320-32-0x0000000000220000-0x0000000000236000-memory.dmp
memory/2300-34-0x0000000000960000-0x0000000000976000-memory.dmp
memory/2040-36-0x0000000001080000-0x0000000001096000-memory.dmp
memory/2684-39-0x0000000001110000-0x0000000001126000-memory.dmp
memory/1796-41-0x00000000013C0000-0x00000000013D6000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:10
Platform
win10v2004-20240426-en
Max time kernel
1178s
Max time network
1193s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 4832 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1076 wrote to memory of 4832 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/1076-0-0x00007FFF52843000-0x00007FFF52845000-memory.dmp
memory/1076-1-0x0000000000F60000-0x0000000000F76000-memory.dmp
memory/1076-6-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1076-9-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
memory/5000-10-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
memory/5000-12-0x00007FFF52840000-0x00007FFF53301000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:39
Platform
win7-20240221-en
Max time kernel
1188s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9141CE5B-7FD2-43E0-964E-41DE0B482CB6} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2320-0-0x000007FEF5223000-0x000007FEF5224000-memory.dmp
memory/2320-1-0x0000000001170000-0x0000000001186000-memory.dmp
memory/2320-6-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2668-10-0x0000000000DE0000-0x0000000000DF6000-memory.dmp
memory/2320-11-0x000007FEF5223000-0x000007FEF5224000-memory.dmp
memory/2320-12-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp
memory/1704-16-0x0000000000E80000-0x0000000000E96000-memory.dmp
memory/1840-19-0x0000000000FC0000-0x0000000000FD6000-memory.dmp
memory/1568-21-0x0000000001320000-0x0000000001336000-memory.dmp
memory/1564-28-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/1200-32-0x00000000010E0000-0x00000000010F6000-memory.dmp
memory/332-35-0x0000000000050000-0x0000000000066000-memory.dmp
memory/2648-37-0x00000000011A0000-0x00000000011B6000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:40
Platform
win7-20240419-en
Max time kernel
1197s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3A137FFD-265D-4145-8FFA-A882A5BF67C5} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/2288-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp
memory/2288-1-0x0000000000C10000-0x0000000000C26000-memory.dmp
memory/2288-6-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp
memory/2288-7-0x000007FEF6183000-0x000007FEF6184000-memory.dmp
memory/2288-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2704-12-0x0000000000FF0000-0x0000000001006000-memory.dmp
memory/2004-15-0x0000000000110000-0x0000000000126000-memory.dmp
memory/2248-17-0x00000000008D0000-0x00000000008E6000-memory.dmp
memory/1136-19-0x0000000001200000-0x0000000001216000-memory.dmp
memory/2232-21-0x0000000000020000-0x0000000000036000-memory.dmp
memory/2408-23-0x0000000000930000-0x0000000000946000-memory.dmp
memory/3040-25-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/344-27-0x0000000000EE0000-0x0000000000EF6000-memory.dmp
memory/2372-29-0x0000000000FC0000-0x0000000000FD6000-memory.dmp
memory/1780-31-0x00000000000C0000-0x00000000000D6000-memory.dmp
memory/1528-33-0x0000000000B20000-0x0000000000B36000-memory.dmp
memory/2152-35-0x0000000001250000-0x0000000001266000-memory.dmp
memory/2584-43-0x0000000000330000-0x0000000000346000-memory.dmp
memory/2096-45-0x0000000000970000-0x0000000000986000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:53
Platform
win7-20240221-en
Max time kernel
1175s
Max time network
1186s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {1C07B2D7-E760-42D2-B3D8-2341F57345A0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/3048-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp
memory/3048-1-0x00000000000C0000-0x00000000000D6000-memory.dmp
memory/3048-6-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2576-10-0x0000000001350000-0x0000000001366000-memory.dmp
memory/3048-11-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp
memory/3048-12-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/1740-22-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/1884-24-0x0000000001080000-0x0000000001096000-memory.dmp
memory/3000-28-0x0000000001370000-0x0000000001386000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:53
Platform
win7-20240215-en
Max time kernel
1196s
Max time network
1182s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BD68411E-39B1-4459-A33B-201E696F77E1} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/1844-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp
memory/1844-1-0x0000000001190000-0x00000000011A6000-memory.dmp
memory/1844-6-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp
memory/1844-7-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1364-12-0x0000000001230000-0x0000000001246000-memory.dmp
memory/1452-14-0x00000000001C0000-0x00000000001D6000-memory.dmp
memory/568-16-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/3048-25-0x0000000000340000-0x0000000000356000-memory.dmp
memory/2508-27-0x0000000000EE0000-0x0000000000EF6000-memory.dmp
memory/2832-29-0x0000000000F60000-0x0000000000F76000-memory.dmp
memory/2476-32-0x0000000000FC0000-0x0000000000FD6000-memory.dmp
memory/2316-37-0x00000000010D0000-0x00000000010E6000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win10v2004-20240426-en
Max time kernel
1184s
Max time network
1200s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3028 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3028 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/3028-1-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp
memory/3028-0-0x00000000004F0000-0x0000000000506000-memory.dmp
memory/3028-6-0x00007FF84FA80000-0x00007FF850541000-memory.dmp
memory/3028-7-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp
memory/3028-8-0x00007FF84FA80000-0x00007FF850541000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4136-11-0x00007FF84FA80000-0x00007FF850541000-memory.dmp
memory/4136-13-0x00007FF84FA80000-0x00007FF850541000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win7-20240508-en
Max time kernel
1179s
Max time network
1189s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FFD09C44-6633-4302-B65F-A88D94CAE291} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/2124-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp
memory/2124-1-0x0000000001220000-0x0000000001236000-memory.dmp
memory/2124-6-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
memory/2124-7-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2828-11-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/2124-12-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
memory/628-17-0x00000000003A0000-0x00000000003B6000-memory.dmp
memory/2296-19-0x0000000000E30000-0x0000000000E46000-memory.dmp
memory/2360-21-0x0000000000110000-0x0000000000126000-memory.dmp
memory/2548-23-0x0000000000150000-0x0000000000166000-memory.dmp
memory/2256-25-0x0000000000920000-0x0000000000936000-memory.dmp
memory/1316-27-0x0000000001350000-0x0000000001366000-memory.dmp
memory/1848-29-0x0000000000170000-0x0000000000186000-memory.dmp
memory/2504-31-0x00000000008C0000-0x00000000008D6000-memory.dmp
memory/1908-33-0x0000000000CB0000-0x0000000000CC6000-memory.dmp
memory/2544-35-0x0000000000040000-0x0000000000056000-memory.dmp
memory/1108-37-0x0000000000E90000-0x0000000000EA6000-memory.dmp
memory/1260-39-0x0000000001110000-0x0000000001126000-memory.dmp
memory/752-42-0x0000000001190000-0x00000000011A6000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:10
Platform
win7-20231129-en
Max time kernel
1179s
Max time network
1190s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {EA30268C-46BB-46E6-87F4-645CD66F5A70} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/2220-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
memory/2220-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
memory/2220-6-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2220-7-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
memory/2220-8-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2500-12-0x0000000000880000-0x0000000000896000-memory.dmp
memory/1652-15-0x0000000000950000-0x0000000000966000-memory.dmp
memory/2024-17-0x0000000000C50000-0x0000000000C66000-memory.dmp
memory/2980-22-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/876-24-0x0000000001060000-0x0000000001076000-memory.dmp
memory/2928-28-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1816-30-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
memory/2768-32-0x0000000000080000-0x0000000000096000-memory.dmp
memory/2652-34-0x0000000000F70000-0x0000000000F86000-memory.dmp
memory/2812-36-0x0000000001220000-0x0000000001236000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win10v2004-20240508-en
Max time kernel
1180s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1676 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1676 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/1676-1-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmp
memory/1676-0-0x0000000000480000-0x0000000000496000-memory.dmp
memory/1676-6-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/1676-7-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2488-10-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/2488-12-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:39
Platform
win10v2004-20240426-en
Max time kernel
1193s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4668 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4668 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/4668-0-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp
memory/4668-1-0x0000000000030000-0x0000000000046000-memory.dmp
memory/4668-6-0x00007FF974AC0000-0x00007FF975581000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/5016-9-0x00007FF974AC0000-0x00007FF975581000-memory.dmp
memory/5016-11-0x00007FF974AC0000-0x00007FF975581000-memory.dmp
memory/4668-12-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp
memory/4668-13-0x00007FF974AC0000-0x00007FF975581000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 08:41
Platform
win10v2004-20240426-en
Max time kernel
1194s
Max time network
1199s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 804 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 804 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
Files
memory/804-0-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp
memory/804-1-0x0000000000960000-0x0000000000976000-memory.dmp
memory/804-6-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/804-9-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp
memory/3268-10-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/3268-12-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/804-13-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-01 07:46
Reported
2024-06-01 09:00
Platform
win7-20240508-en
Max time kernel
1192s
Max time network
1196s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4022E54A-26B9-4B74-A16C-1287A77FD44F} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/2368-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp
memory/2368-1-0x0000000000AE0000-0x0000000000AF6000-memory.dmp
memory/2368-6-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1712-10-0x0000000000A70000-0x0000000000A86000-memory.dmp
memory/2368-11-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
memory/1208-14-0x0000000000D30000-0x0000000000D46000-memory.dmp
memory/3012-16-0x0000000000340000-0x0000000000356000-memory.dmp
memory/2136-18-0x0000000001050000-0x0000000001066000-memory.dmp
memory/856-20-0x0000000001300000-0x0000000001316000-memory.dmp
memory/1824-24-0x00000000002F0000-0x0000000000306000-memory.dmp
memory/3040-26-0x0000000000A50000-0x0000000000A66000-memory.dmp
memory/1728-28-0x0000000000080000-0x0000000000096000-memory.dmp
memory/2236-30-0x00000000001C0000-0x00000000001D6000-memory.dmp
memory/2288-32-0x0000000000170000-0x0000000000186000-memory.dmp
memory/2420-34-0x0000000000910000-0x0000000000926000-memory.dmp
memory/2892-36-0x0000000000A90000-0x0000000000AA6000-memory.dmp
memory/1172-38-0x0000000000BB0000-0x0000000000BC6000-memory.dmp
memory/2968-42-0x0000000000200000-0x0000000000216000-memory.dmp
memory/2604-44-0x0000000001170000-0x0000000001186000-memory.dmp
memory/1912-46-0x0000000001240000-0x0000000001256000-memory.dmp