Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-jly78afc32
Target a ton of ya.zip
SHA256 e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Threat Level: Known bad

The file a ton of ya.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm family

Xworm

Detect Xworm Payload

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:46

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win10v2004-20240508-en

Max time kernel

1195s

Max time network

1200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1192-0-0x00007FFA19513000-0x00007FFA19515000-memory.dmp

memory/1192-1-0x0000000000500000-0x0000000000516000-memory.dmp

memory/1192-6-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp

memory/1192-7-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3476-10-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp

memory/3476-12-0x00007FFA19510000-0x00007FFA19FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win10v2004-20240508-en

Max time kernel

1196s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/4444-0-0x0000000000EF0000-0x0000000000F06000-memory.dmp

memory/4444-1-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/4444-6-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4444-7-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/4444-8-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win7-20240508-en

Max time kernel

1174s

Max time network

1183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 3064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 3064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 3064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 388 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 2756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2772 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {76725A0A-BB67-4767-AACA-BFA71D2DCA66} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2008-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

memory/2008-1-0x00000000003F0000-0x0000000000406000-memory.dmp

memory/2008-6-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

memory/2008-7-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

memory/2008-8-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2756-12-0x0000000001210000-0x0000000001226000-memory.dmp

memory/2092-16-0x0000000000240000-0x0000000000256000-memory.dmp

memory/644-18-0x0000000000C50000-0x0000000000C66000-memory.dmp

memory/2032-20-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2704-22-0x0000000001330000-0x0000000001346000-memory.dmp

memory/2432-27-0x0000000000340000-0x0000000000356000-memory.dmp

memory/2924-29-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/2844-31-0x0000000000A40000-0x0000000000A56000-memory.dmp

memory/3064-33-0x0000000000020000-0x0000000000036000-memory.dmp

memory/272-36-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/2000-38-0x00000000010C0000-0x00000000010D6000-memory.dmp

memory/2756-42-0x00000000011D0000-0x00000000011E6000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:09

Platform

win7-20240508-en

Max time kernel

1198s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1872 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1872 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 1192 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2164 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2304 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1FBA8662-14E1-46E2-9187-DE21AA04780D} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1872-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

memory/1872-1-0x0000000000B50000-0x0000000000B66000-memory.dmp

memory/1872-6-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

memory/1872-7-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

memory/1872-8-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1504-13-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

memory/2104-18-0x0000000000100000-0x0000000000116000-memory.dmp

memory/2468-20-0x0000000000C70000-0x0000000000C86000-memory.dmp

memory/604-22-0x00000000011D0000-0x00000000011E6000-memory.dmp

memory/1664-25-0x0000000000170000-0x0000000000186000-memory.dmp

memory/1876-27-0x0000000000F90000-0x0000000000FA6000-memory.dmp

memory/1900-30-0x0000000001120000-0x0000000001136000-memory.dmp

memory/2068-32-0x0000000000210000-0x0000000000226000-memory.dmp

memory/2792-34-0x0000000000C00000-0x0000000000C16000-memory.dmp

memory/1192-36-0x0000000001240000-0x0000000001256000-memory.dmp

memory/2164-39-0x0000000001310000-0x0000000001326000-memory.dmp

memory/2364-41-0x0000000001350000-0x0000000001366000-memory.dmp

memory/2112-43-0x00000000013B0000-0x00000000013C6000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win7-20240508-en

Max time kernel

1191s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2180 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2180 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2748 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1424 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 2208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2748 wrote to memory of 548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9E07370E-E4B8-4AB2-9B3F-C91CA87F04FC} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2180-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2180-1-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2180-6-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2920-10-0x0000000000F60000-0x0000000000F76000-memory.dmp

memory/2180-11-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2180-12-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

memory/1436-16-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/1372-18-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/1424-20-0x00000000013E0000-0x00000000013F6000-memory.dmp

memory/2960-22-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2588-24-0x00000000002A0000-0x00000000002B6000-memory.dmp

memory/2128-26-0x0000000000900000-0x0000000000916000-memory.dmp

memory/2308-29-0x00000000001C0000-0x00000000001D6000-memory.dmp

memory/864-31-0x0000000000EF0000-0x0000000000F06000-memory.dmp

memory/2444-33-0x00000000013C0000-0x00000000013D6000-memory.dmp

memory/1868-41-0x0000000000360000-0x0000000000376000-memory.dmp

memory/548-43-0x0000000000350000-0x0000000000366000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win7-20240215-en

Max time kernel

1194s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2616 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2376 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2992 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2992 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2992 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1212 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2616 wrote to memory of 1456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {83A03422-93CE-4946-92C5-A5AF384EA10B} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2220-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/2220-1-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

memory/2220-6-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2220-7-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/2220-8-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2376-12-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/1972-16-0x00000000000C0000-0x00000000000D6000-memory.dmp

memory/2992-18-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

memory/2092-20-0x00000000003B0000-0x00000000003C6000-memory.dmp

memory/2128-22-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1372-24-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

memory/1656-26-0x0000000000190000-0x00000000001A6000-memory.dmp

memory/2184-28-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

memory/1696-30-0x0000000000D90000-0x0000000000DA6000-memory.dmp

memory/3020-32-0x00000000013C0000-0x00000000013D6000-memory.dmp

memory/2536-34-0x0000000000080000-0x0000000000096000-memory.dmp

memory/1976-36-0x0000000000A10000-0x0000000000A26000-memory.dmp

memory/2032-38-0x0000000000310000-0x0000000000326000-memory.dmp

memory/2196-40-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/1212-42-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

memory/572-44-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

memory/2588-46-0x0000000000DF0000-0x0000000000E06000-memory.dmp

memory/1456-49-0x00000000001E0000-0x00000000001F6000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win10v2004-20240508-en

Max time kernel

1181s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3948-1-0x0000000000C30000-0x0000000000C46000-memory.dmp

memory/3948-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/3948-6-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/224-9-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-10-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/224-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-13-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:39

Platform

win7-20240220-en

Max time kernel

1175s

Max time network

1185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3012 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3012 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2916 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2748 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 944 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F9716C2E-F4FE-4469-B82E-A0FB2F7B4D4A} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3012-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3012-1-0x0000000000900000-0x0000000000916000-memory.dmp

memory/3012-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2384-10-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/3012-11-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3012-12-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1512-15-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2696-17-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/824-23-0x00000000013D0000-0x00000000013E6000-memory.dmp

memory/1420-33-0x0000000000070000-0x0000000000086000-memory.dmp

memory/1436-35-0x0000000000B90000-0x0000000000BA6000-memory.dmp

memory/2384-37-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/944-39-0x00000000002F0000-0x0000000000306000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win10v2004-20240508-en

Max time kernel

1180s

Max time network

1196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3212-0-0x0000000000940000-0x0000000000956000-memory.dmp

memory/3212-1-0x00007FFE97363000-0x00007FFE97365000-memory.dmp

memory/3212-6-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3212-9-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/644-10-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/644-12-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win10v2004-20240426-en

Max time kernel

1199s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp

Files

memory/2960-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

memory/2960-1-0x0000000000960000-0x0000000000976000-memory.dmp

memory/2960-6-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/2960-7-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4616-11-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/4616-13-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win10v2004-20240426-en

Max time kernel

1191s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3616-0-0x00007FFF27DA3000-0x00007FFF27DA5000-memory.dmp

memory/3616-1-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/3616-6-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp

memory/3616-7-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4452-10-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp

memory/4452-12-0x00007FFF27DA0000-0x00007FFF28861000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win10v2004-20240226-en

Max time kernel

1194s

Max time network

1202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:80 www.microsoft.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 28.190.21.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 166.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3452-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

memory/3452-1-0x0000000000270000-0x0000000000286000-memory.dmp

memory/3452-6-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/3452-7-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4184-10-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/4184-12-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win7-20240220-en

Max time kernel

1198s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2784 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2784 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2508 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2508 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7BD54870-1CA9-4483-AE0B-A9097C783A9D} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2784-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2784-1-0x00000000012B0000-0x00000000012C6000-memory.dmp

memory/2784-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/2784-7-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2784-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3048-12-0x0000000000280000-0x0000000000296000-memory.dmp

memory/1932-15-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/1136-17-0x0000000000CF0000-0x0000000000D06000-memory.dmp

memory/1780-19-0x0000000001270000-0x0000000001286000-memory.dmp

memory/2692-23-0x0000000000360000-0x0000000000376000-memory.dmp

memory/2504-25-0x0000000000990000-0x00000000009A6000-memory.dmp

memory/708-27-0x00000000010F0000-0x0000000001106000-memory.dmp

memory/1964-29-0x00000000012A0000-0x00000000012B6000-memory.dmp

memory/3032-36-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/308-38-0x0000000001180000-0x0000000001196000-memory.dmp

memory/1532-41-0x0000000000010000-0x0000000000026000-memory.dmp

memory/3016-43-0x00000000009A0000-0x00000000009B6000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win7-20240508-en

Max time kernel

1196s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1936 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1936 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2136 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2116 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 292 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1160 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2136 wrote to memory of 2656 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4B564018-E058-4480-985E-640168E05067} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1936-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/1936-1-0x00000000000C0000-0x00000000000D6000-memory.dmp

memory/1936-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1936-7-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/1936-8-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2716-12-0x0000000000200000-0x0000000000216000-memory.dmp

memory/1864-15-0x0000000000830000-0x0000000000846000-memory.dmp

memory/2216-18-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

memory/2084-20-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/2840-23-0x00000000003B0000-0x00000000003C6000-memory.dmp

memory/1520-25-0x0000000000A60000-0x0000000000A76000-memory.dmp

memory/972-28-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/1884-33-0x00000000001A0000-0x00000000001B6000-memory.dmp

memory/292-35-0x0000000000D60000-0x0000000000D76000-memory.dmp

memory/652-38-0x0000000000EF0000-0x0000000000F06000-memory.dmp

memory/2392-41-0x0000000000190000-0x00000000001A6000-memory.dmp

memory/2656-43-0x0000000000980000-0x0000000000996000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:01

Platform

win10v2004-20240508-en

Max time kernel

1188s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/4740-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

memory/4740-1-0x00000000003F0000-0x0000000000406000-memory.dmp

memory/4740-6-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/4740-7-0x00007FF841563000-0x00007FF841565000-memory.dmp

memory/4740-8-0x00007FF841560000-0x00007FF842021000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2756-12-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/2756-14-0x00007FF841560000-0x00007FF842021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:09

Platform

win10v2004-20240426-en

Max time kernel

1199s

Max time network

1202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2340-0-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

memory/2340-1-0x00007FFB54763000-0x00007FFB54765000-memory.dmp

memory/2340-6-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

memory/2340-7-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/748-10-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

memory/748-13-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:10

Platform

win10v2004-20240508-en

Max time kernel

1184s

Max time network

1193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/4904-0-0x00007FFDB2F23000-0x00007FFDB2F25000-memory.dmp

memory/4904-1-0x0000000000E60000-0x0000000000E76000-memory.dmp

memory/4904-6-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

memory/4904-7-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1356-10-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

memory/1356-12-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win7-20231129-en

Max time kernel

1191s

Max time network

1195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2644 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 3020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1220 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 384 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 1016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2644 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A6A32F6D-81CF-44DE-ADE3-7DC584D09303} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2044-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

memory/2044-1-0x0000000000150000-0x0000000000166000-memory.dmp

memory/2044-6-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2044-7-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

memory/2044-8-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2492-12-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/1884-15-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

memory/2312-17-0x0000000001110000-0x0000000001126000-memory.dmp

memory/1668-19-0x0000000000320000-0x0000000000336000-memory.dmp

memory/3020-21-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

memory/2984-25-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/384-27-0x0000000000310000-0x0000000000326000-memory.dmp

memory/1108-29-0x0000000001060000-0x0000000001076000-memory.dmp

memory/1124-35-0x0000000000020000-0x0000000000036000-memory.dmp

memory/1976-37-0x0000000000B20000-0x0000000000B36000-memory.dmp

memory/2848-40-0x0000000001160000-0x0000000001176000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:53

Platform

win10v2004-20240226-en

Max time kernel

1200s

Max time network

1202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/1372-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

memory/1372-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp

memory/1372-6-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3064-9-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

memory/3064-11-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

memory/1372-12-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

memory/1372-13-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:01

Platform

win7-20240221-en

Max time kernel

1196s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2080 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2080 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2200 wrote to memory of 1444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1396 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2320 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2064 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EBF6CFD3-15B6-4CD0-90C1-1683C33C74C6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2080-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2080-1-0x0000000000F40000-0x0000000000F56000-memory.dmp

memory/2080-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/2080-7-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2080-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1444-13-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/872-17-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/2912-19-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

memory/2564-21-0x0000000001220000-0x0000000001236000-memory.dmp

memory/2956-28-0x0000000000100000-0x0000000000116000-memory.dmp

memory/2004-30-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/2320-32-0x0000000000220000-0x0000000000236000-memory.dmp

memory/2300-34-0x0000000000960000-0x0000000000976000-memory.dmp

memory/2040-36-0x0000000001080000-0x0000000001096000-memory.dmp

memory/2684-39-0x0000000001110000-0x0000000001126000-memory.dmp

memory/1796-41-0x00000000013C0000-0x00000000013D6000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:10

Platform

win10v2004-20240426-en

Max time kernel

1178s

Max time network

1193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1076-0-0x00007FFF52843000-0x00007FFF52845000-memory.dmp

memory/1076-1-0x0000000000F60000-0x0000000000F76000-memory.dmp

memory/1076-6-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1076-9-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

memory/5000-10-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

memory/5000-12-0x00007FFF52840000-0x00007FFF53301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:39

Platform

win7-20240221-en

Max time kernel

1188s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2320 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2320 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2536 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 1200 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2536 wrote to memory of 612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9141CE5B-7FD2-43E0-964E-41DE0B482CB6} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2320-0-0x000007FEF5223000-0x000007FEF5224000-memory.dmp

memory/2320-1-0x0000000001170000-0x0000000001186000-memory.dmp

memory/2320-6-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2668-10-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

memory/2320-11-0x000007FEF5223000-0x000007FEF5224000-memory.dmp

memory/2320-12-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

memory/1704-16-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/1840-19-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

memory/1568-21-0x0000000001320000-0x0000000001336000-memory.dmp

memory/1564-28-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/1200-32-0x00000000010E0000-0x00000000010F6000-memory.dmp

memory/332-35-0x0000000000050000-0x0000000000066000-memory.dmp

memory/2648-37-0x00000000011A0000-0x00000000011B6000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:40

Platform

win7-20240419-en

Max time kernel

1197s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2288 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2288 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2248 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2248 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2248 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 1920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2584 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2556 wrote to memory of 2096 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A137FFD-265D-4145-8FFA-A882A5BF67C5} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2288-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

memory/2288-1-0x0000000000C10000-0x0000000000C26000-memory.dmp

memory/2288-6-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2288-7-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

memory/2288-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2704-12-0x0000000000FF0000-0x0000000001006000-memory.dmp

memory/2004-15-0x0000000000110000-0x0000000000126000-memory.dmp

memory/2248-17-0x00000000008D0000-0x00000000008E6000-memory.dmp

memory/1136-19-0x0000000001200000-0x0000000001216000-memory.dmp

memory/2232-21-0x0000000000020000-0x0000000000036000-memory.dmp

memory/2408-23-0x0000000000930000-0x0000000000946000-memory.dmp

memory/3040-25-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/344-27-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

memory/2372-29-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

memory/1780-31-0x00000000000C0000-0x00000000000D6000-memory.dmp

memory/1528-33-0x0000000000B20000-0x0000000000B36000-memory.dmp

memory/2152-35-0x0000000001250000-0x0000000001266000-memory.dmp

memory/2584-43-0x0000000000330000-0x0000000000346000-memory.dmp

memory/2096-45-0x0000000000970000-0x0000000000986000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:53

Platform

win7-20240221-en

Max time kernel

1175s

Max time network

1186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 636 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2864 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 312 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2636 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1C07B2D7-E760-42D2-B3D8-2341F57345A0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/3048-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/3048-1-0x00000000000C0000-0x00000000000D6000-memory.dmp

memory/3048-6-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2576-10-0x0000000001350000-0x0000000001366000-memory.dmp

memory/3048-11-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/3048-12-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/1740-22-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/1884-24-0x0000000001080000-0x0000000001096000-memory.dmp

memory/3000-28-0x0000000001370000-0x0000000001386000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:53

Platform

win7-20240215-en

Max time kernel

1196s

Max time network

1182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1844 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1844 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2368 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 760 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2476 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2368 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BD68411E-39B1-4459-A33B-201E696F77E1} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1844-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

memory/1844-1-0x0000000001190000-0x00000000011A6000-memory.dmp

memory/1844-6-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/1844-7-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1364-12-0x0000000001230000-0x0000000001246000-memory.dmp

memory/1452-14-0x00000000001C0000-0x00000000001D6000-memory.dmp

memory/568-16-0x00000000013D0000-0x00000000013E6000-memory.dmp

memory/3048-25-0x0000000000340000-0x0000000000356000-memory.dmp

memory/2508-27-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

memory/2832-29-0x0000000000F60000-0x0000000000F76000-memory.dmp

memory/2476-32-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

memory/2316-37-0x00000000010D0000-0x00000000010E6000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win10v2004-20240426-en

Max time kernel

1184s

Max time network

1200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/3028-1-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

memory/3028-0-0x00000000004F0000-0x0000000000506000-memory.dmp

memory/3028-6-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/3028-7-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

memory/3028-8-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4136-11-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/4136-13-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win7-20240508-en

Max time kernel

1179s

Max time network

1189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2124 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2124 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2736 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2736 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FFD09C44-6633-4302-B65F-A88D94CAE291} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2124-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

memory/2124-1-0x0000000001220000-0x0000000001236000-memory.dmp

memory/2124-6-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/2124-7-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2828-11-0x00000000013D0000-0x00000000013E6000-memory.dmp

memory/2124-12-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/628-17-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2296-19-0x0000000000E30000-0x0000000000E46000-memory.dmp

memory/2360-21-0x0000000000110000-0x0000000000126000-memory.dmp

memory/2548-23-0x0000000000150000-0x0000000000166000-memory.dmp

memory/2256-25-0x0000000000920000-0x0000000000936000-memory.dmp

memory/1316-27-0x0000000001350000-0x0000000001366000-memory.dmp

memory/1848-29-0x0000000000170000-0x0000000000186000-memory.dmp

memory/2504-31-0x00000000008C0000-0x00000000008D6000-memory.dmp

memory/1908-33-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

memory/2544-35-0x0000000000040000-0x0000000000056000-memory.dmp

memory/1108-37-0x0000000000E90000-0x0000000000EA6000-memory.dmp

memory/1260-39-0x0000000001110000-0x0000000001126000-memory.dmp

memory/752-42-0x0000000001190000-0x00000000011A6000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:10

Platform

win7-20231129-en

Max time kernel

1179s

Max time network

1190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2220 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2220 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 820 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2632 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EA30268C-46BB-46E6-87F4-645CD66F5A70} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2220-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2220-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

memory/2220-6-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2220-7-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2220-8-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2500-12-0x0000000000880000-0x0000000000896000-memory.dmp

memory/1652-15-0x0000000000950000-0x0000000000966000-memory.dmp

memory/2024-17-0x0000000000C50000-0x0000000000C66000-memory.dmp

memory/2980-22-0x00000000000B0000-0x00000000000C6000-memory.dmp

memory/876-24-0x0000000001060000-0x0000000001076000-memory.dmp

memory/2928-28-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1816-30-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/2768-32-0x0000000000080000-0x0000000000096000-memory.dmp

memory/2652-34-0x0000000000F70000-0x0000000000F86000-memory.dmp

memory/2812-36-0x0000000001220000-0x0000000001236000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win10v2004-20240508-en

Max time kernel

1180s

Max time network

1197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 52.111.229.48:443 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1676-1-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmp

memory/1676-0-0x0000000000480000-0x0000000000496000-memory.dmp

memory/1676-6-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

memory/1676-7-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2488-10-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

memory/2488-12-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:39

Platform

win10v2004-20240426-en

Max time kernel

1193s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/4668-0-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp

memory/4668-1-0x0000000000030000-0x0000000000046000-memory.dmp

memory/4668-6-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5016-9-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

memory/5016-11-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

memory/4668-12-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp

memory/4668-13-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 08:41

Platform

win10v2004-20240426-en

Max time kernel

1194s

Max time network

1199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/804-0-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

memory/804-1-0x0000000000960000-0x0000000000976000-memory.dmp

memory/804-6-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/804-9-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

memory/3268-10-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

memory/3268-12-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

memory/804-13-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:46

Reported

2024-06-01 09:00

Platform

win7-20240508-en

Max time kernel

1192s

Max time network

1196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2368 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2368 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1208 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 856 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1888 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2288 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2892 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1172 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2920 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2624 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4022E54A-26B9-4B74-A16C-1287A77FD44F} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2368-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2368-1-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

memory/2368-6-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1712-10-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/2368-11-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/1208-14-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/3012-16-0x0000000000340000-0x0000000000356000-memory.dmp

memory/2136-18-0x0000000001050000-0x0000000001066000-memory.dmp

memory/856-20-0x0000000001300000-0x0000000001316000-memory.dmp

memory/1824-24-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/3040-26-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/1728-28-0x0000000000080000-0x0000000000096000-memory.dmp

memory/2236-30-0x00000000001C0000-0x00000000001D6000-memory.dmp

memory/2288-32-0x0000000000170000-0x0000000000186000-memory.dmp

memory/2420-34-0x0000000000910000-0x0000000000926000-memory.dmp

memory/2892-36-0x0000000000A90000-0x0000000000AA6000-memory.dmp

memory/1172-38-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

memory/2968-42-0x0000000000200000-0x0000000000216000-memory.dmp

memory/2604-44-0x0000000001170000-0x0000000001186000-memory.dmp

memory/1912-46-0x0000000001240000-0x0000000001256000-memory.dmp