Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-jm5fmaed9y
Target a ton of ya.zip
SHA256 e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Threat Level: Known bad

The file a ton of ya.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Detect Xworm Payload

Xworm

Xworm family

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:48

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/2964-0-0x00007FFD7CDF3000-0x00007FFD7CDF5000-memory.dmp

memory/2964-1-0x0000000000570000-0x0000000000586000-memory.dmp

memory/2964-6-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4804-9-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp

memory/4804-11-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp

memory/2964-12-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/3892-0-0x00007FFDC7053000-0x00007FFDC7055000-memory.dmp

memory/3892-1-0x0000000000340000-0x0000000000356000-memory.dmp

memory/3892-6-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1816-9-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp

memory/1816-11-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp

memory/3892-12-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2140 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
IE 52.111.236.21:443 tcp

Files

memory/2140-0-0x00007FFAF7653000-0x00007FFAF7655000-memory.dmp

memory/2140-1-0x0000000000970000-0x0000000000986000-memory.dmp

memory/2140-6-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2260-9-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

memory/2260-11-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

memory/2140-12-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4832-0-0x00007FFCC9EB3000-0x00007FFCC9EB5000-memory.dmp

memory/4832-1-0x0000000000140000-0x0000000000156000-memory.dmp

memory/4832-6-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1260-9-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp

memory/1260-11-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp

memory/4832-12-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4056-0-0x00007FF8DE4D3000-0x00007FF8DE4D5000-memory.dmp

memory/4056-1-0x0000000000080000-0x0000000000096000-memory.dmp

memory/4056-6-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2792-9-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

memory/2792-11-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

memory/4056-12-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/1016-0-0x00007FF9B0373000-0x00007FF9B0375000-memory.dmp

memory/1016-1-0x0000000000980000-0x0000000000996000-memory.dmp

memory/1016-6-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3760-9-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

memory/3760-11-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

memory/1016-12-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/1276-0-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp

memory/1276-1-0x0000000000100000-0x0000000000116000-memory.dmp

memory/1276-6-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2228-9-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp

memory/1276-10-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp

memory/2228-12-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp

memory/1276-13-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 5016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/5016-0-0x00007FFAD9D13000-0x00007FFAD9D15000-memory.dmp

memory/5016-1-0x0000000000FF0000-0x0000000001006000-memory.dmp

memory/5016-6-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/412-9-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp

memory/412-11-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp

memory/5016-12-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 52.111.229.19:443 tcp

Files

memory/3456-0-0x00007FFD2CCF3000-0x00007FFD2CCF5000-memory.dmp

memory/3456-1-0x0000000000D80000-0x0000000000D96000-memory.dmp

memory/3456-6-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3924-9-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp

memory/3924-11-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp

memory/3456-12-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4896-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

memory/4896-1-0x0000000000680000-0x0000000000696000-memory.dmp

memory/4896-6-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3272-9-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/3272-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/4896-12-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

memory/4896-13-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4308-1-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

memory/4308-0-0x00007FFF43553000-0x00007FFF43555000-memory.dmp

memory/4308-6-0x00007FFF43550000-0x00007FFF44012000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2756-9-0x00007FFF43550000-0x00007FFF44012000-memory.dmp

memory/2756-11-0x00007FFF43550000-0x00007FFF44012000-memory.dmp

memory/4308-12-0x00007FFF43553000-0x00007FFF43555000-memory.dmp

memory/4308-13-0x00007FFF43550000-0x00007FFF44012000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/3016-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

memory/3016-1-0x0000000000110000-0x0000000000126000-memory.dmp

memory/3016-6-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1600-9-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/1600-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/3016-12-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

memory/3016-13-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
NL 52.111.243.29:443 tcp

Files

memory/956-0-0x00007FFE88013000-0x00007FFE88015000-memory.dmp

memory/956-1-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/956-6-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4060-9-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

memory/956-10-0x00007FFE88013000-0x00007FFE88015000-memory.dmp

memory/4060-12-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

memory/956-13-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 52.111.229.43:443 tcp

Files

memory/2164-0-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmp

memory/2164-1-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

memory/2164-6-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/5068-9-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp

memory/5068-11-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp

memory/2164-12-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmp

memory/2164-13-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4176-0-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

memory/4176-1-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

memory/4176-6-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3880-9-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/3880-11-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/4176-12-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

memory/4176-13-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 52.111.229.19:443 tcp

Files

memory/3716-0-0x00007FFD03473000-0x00007FFD03475000-memory.dmp

memory/3716-1-0x0000000000A30000-0x0000000000A46000-memory.dmp

memory/3716-6-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3860-9-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/3860-11-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/3716-12-0x00007FFD03473000-0x00007FFD03475000-memory.dmp

memory/3716-13-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2624-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/2624-1-0x0000000000020000-0x0000000000036000-memory.dmp

memory/2624-6-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1532-9-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1532-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2624-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/3368-0-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp

memory/3368-1-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/3368-6-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2192-9-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/2192-11-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3368-12-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4432-0-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

memory/4432-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp

memory/4432-6-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1104-9-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/1104-11-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/4432-12-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

memory/4432-13-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/1852-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

memory/1852-1-0x0000000000330000-0x0000000000346000-memory.dmp

memory/1852-6-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1832-9-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/1832-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/1852-12-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

memory/1852-13-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240419-en

Max time kernel

137s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/436-0-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp

memory/436-1-0x0000000000760000-0x0000000000776000-memory.dmp

memory/436-6-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2984-9-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/2984-11-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/436-12-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3616-0-0x00007FF8AF253000-0x00007FF8AF255000-memory.dmp

memory/3616-1-0x0000000000090000-0x00000000000A6000-memory.dmp

memory/3616-6-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1480-9-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp

memory/1480-11-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp

memory/3616-12-0x00007FF8AF253000-0x00007FF8AF255000-memory.dmp

memory/3616-13-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/3144-0-0x00007FF84CE13000-0x00007FF84CE15000-memory.dmp

memory/3144-1-0x0000000000780000-0x0000000000796000-memory.dmp

memory/3144-6-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4496-9-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

memory/4496-11-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

memory/3144-12-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240419-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/2772-0-0x00007FFFFB493000-0x00007FFFFB495000-memory.dmp

memory/2772-1-0x0000000000A20000-0x0000000000A36000-memory.dmp

memory/2772-6-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1396-9-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp

memory/1396-11-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp

memory/2772-12-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/2732-0-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp

memory/2732-1-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2732-6-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2208-9-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

memory/2208-11-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

memory/2732-12-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/5012-1-0x0000000000C00000-0x0000000000C16000-memory.dmp

memory/5012-0-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp

memory/5012-6-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3540-9-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/3540-11-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/5012-12-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/5052-0-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp

memory/5052-1-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/5052-6-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4720-9-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/4720-11-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/5052-12-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp

memory/5052-13-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240419-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2764-0-0x00007FF835F73000-0x00007FF835F75000-memory.dmp

memory/2764-1-0x0000000000490000-0x00000000004A6000-memory.dmp

memory/2764-6-0x00007FF835F70000-0x00007FF836A32000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3432-9-0x00007FF835F70000-0x00007FF836A32000-memory.dmp

memory/3432-11-0x00007FF835F70000-0x00007FF836A32000-memory.dmp

memory/2764-12-0x00007FF835F70000-0x00007FF836A32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

136s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
IE 52.111.236.21:443 tcp

Files

memory/2696-0-0x00007FF949803000-0x00007FF949805000-memory.dmp

memory/2696-1-0x00000000009A0000-0x00000000009B6000-memory.dmp

memory/2696-6-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/4352-9-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

memory/4352-11-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

memory/2696-12-0x00007FF949803000-0x00007FF949805000-memory.dmp

memory/2696-13-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240426-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/3692-0-0x00007FFD2B183000-0x00007FFD2B185000-memory.dmp

memory/3692-1-0x0000000000270000-0x0000000000286000-memory.dmp

memory/3692-6-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1796-9-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

memory/1796-11-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

memory/3692-12-0x00007FFD2B183000-0x00007FFD2B185000-memory.dmp

memory/3692-13-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/1832-0-0x00007FF994563000-0x00007FF994565000-memory.dmp

memory/1832-1-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/1832-6-0x00007FF994560000-0x00007FF995022000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/3816-9-0x00007FF994560000-0x00007FF995022000-memory.dmp

memory/3816-11-0x00007FF994560000-0x00007FF995022000-memory.dmp

memory/1832-12-0x00007FF994563000-0x00007FF994565000-memory.dmp

memory/1832-13-0x00007FF994560000-0x00007FF995022000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:51

Platform

win11-20240508-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/236-0-0x0000000000870000-0x0000000000886000-memory.dmp

memory/236-1-0x00007FF829673000-0x00007FF829675000-memory.dmp

memory/236-6-0x00007FF829670000-0x00007FF82A132000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1444-9-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/1444-11-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/236-12-0x00007FF829670000-0x00007FF82A132000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9