Analysis Overview
SHA256
e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Threat Level: Known bad
The file a ton of ya.zip was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Executes dropped EXE
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:48
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2964 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/2964-0-0x00007FFD7CDF3000-0x00007FFD7CDF5000-memory.dmp
memory/2964-1-0x0000000000570000-0x0000000000586000-memory.dmp
memory/2964-6-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4804-9-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp
memory/4804-11-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp
memory/2964-12-0x00007FFD7CDF0000-0x00007FFD7D8B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3892 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3892 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/3892-0-0x00007FFDC7053000-0x00007FFDC7055000-memory.dmp
memory/3892-1-0x0000000000340000-0x0000000000356000-memory.dmp
memory/3892-6-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1816-9-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp
memory/1816-11-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp
memory/3892-12-0x00007FFDC7050000-0x00007FFDC7B12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 2140 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp |
Files
memory/2140-0-0x00007FFAF7653000-0x00007FFAF7655000-memory.dmp
memory/2140-1-0x0000000000970000-0x0000000000986000-memory.dmp
memory/2140-6-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2260-9-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp
memory/2260-11-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp
memory/2140-12-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4832 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | C:\Windows\System32\schtasks.exe |
| PID 4832 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4832-0-0x00007FFCC9EB3000-0x00007FFCC9EB5000-memory.dmp
memory/4832-1-0x0000000000140000-0x0000000000156000-memory.dmp
memory/4832-6-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1260-9-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp
memory/1260-11-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp
memory/4832-12-0x00007FFCC9EB0000-0x00007FFCCA972000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4056 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4056 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4056-0-0x00007FF8DE4D3000-0x00007FF8DE4D5000-memory.dmp
memory/4056-1-0x0000000000080000-0x0000000000096000-memory.dmp
memory/4056-6-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2792-9-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
memory/2792-11-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
memory/4056-12-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 1016 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/1016-0-0x00007FF9B0373000-0x00007FF9B0375000-memory.dmp
memory/1016-1-0x0000000000980000-0x0000000000996000-memory.dmp
memory/1016-6-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3760-9-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp
memory/3760-11-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp
memory/1016-12-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 1276 wrote to memory of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/1276-0-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp
memory/1276-1-0x0000000000100000-0x0000000000116000-memory.dmp
memory/1276-6-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2228-9-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/1276-10-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp
memory/2228-12-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/1276-13-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 5016 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/5016-0-0x00007FFAD9D13000-0x00007FFAD9D15000-memory.dmp
memory/5016-1-0x0000000000FF0000-0x0000000001006000-memory.dmp
memory/5016-6-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/412-9-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp
memory/412-11-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp
memory/5016-12-0x00007FFAD9D10000-0x00007FFADA7D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3456 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3456 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 52.111.229.19:443 | tcp |
Files
memory/3456-0-0x00007FFD2CCF3000-0x00007FFD2CCF5000-memory.dmp
memory/3456-1-0x0000000000D80000-0x0000000000D96000-memory.dmp
memory/3456-6-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3924-9-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp
memory/3924-11-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp
memory/3456-12-0x00007FFD2CCF0000-0x00007FFD2D7B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4896 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4896-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
memory/4896-1-0x0000000000680000-0x0000000000696000-memory.dmp
memory/4896-6-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3272-9-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/3272-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/4896-12-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
memory/4896-13-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
140s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4308 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4308 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4308-1-0x0000000000EB0000-0x0000000000EC6000-memory.dmp
memory/4308-0-0x00007FFF43553000-0x00007FFF43555000-memory.dmp
memory/4308-6-0x00007FFF43550000-0x00007FFF44012000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2756-9-0x00007FFF43550000-0x00007FFF44012000-memory.dmp
memory/2756-11-0x00007FFF43550000-0x00007FFF44012000-memory.dmp
memory/4308-12-0x00007FFF43553000-0x00007FFF43555000-memory.dmp
memory/4308-13-0x00007FFF43550000-0x00007FFF44012000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3016 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
Files
memory/3016-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
memory/3016-1-0x0000000000110000-0x0000000000126000-memory.dmp
memory/3016-6-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1600-9-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/1600-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/3016-12-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
memory/3016-13-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 956 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 956 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp |
Files
memory/956-0-0x00007FFE88013000-0x00007FFE88015000-memory.dmp
memory/956-1-0x0000000000F80000-0x0000000000F96000-memory.dmp
memory/956-6-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4060-9-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp
memory/956-10-0x00007FFE88013000-0x00007FFE88015000-memory.dmp
memory/4060-12-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp
memory/956-13-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2164 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/2164-0-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmp
memory/2164-1-0x0000000000AC0000-0x0000000000AD6000-memory.dmp
memory/2164-6-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/5068-9-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/5068-11-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
memory/2164-12-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmp
memory/2164-13-0x00007FFF244F0000-0x00007FFF24FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4176 wrote to memory of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 4176 wrote to memory of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4176-0-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp
memory/4176-1-0x0000000000FD0000-0x0000000000FE6000-memory.dmp
memory/4176-6-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3880-9-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/3880-11-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/4176-12-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp
memory/4176-13-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 4804 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3716 wrote to memory of 4804 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 52.111.229.19:443 | tcp |
Files
memory/3716-0-0x00007FFD03473000-0x00007FFD03475000-memory.dmp
memory/3716-1-0x0000000000A30000-0x0000000000A46000-memory.dmp
memory/3716-6-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3860-9-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/3860-11-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/3716-12-0x00007FFD03473000-0x00007FFD03475000-memory.dmp
memory/3716-13-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2624 wrote to memory of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 2624 wrote to memory of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2624-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
memory/2624-1-0x0000000000020000-0x0000000000036000-memory.dmp
memory/2624-6-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1532-9-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/1532-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/2624-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 3368 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/3368-0-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp
memory/3368-1-0x0000000000CA0000-0x0000000000CB6000-memory.dmp
memory/3368-6-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2192-9-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp
memory/2192-11-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp
memory/3368-12-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4432 wrote to memory of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 4432 wrote to memory of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4432-0-0x00007FFB21613000-0x00007FFB21615000-memory.dmp
memory/4432-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp
memory/4432-6-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1104-9-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp
memory/1104-11-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp
memory/4432-12-0x00007FFB21613000-0x00007FFB21615000-memory.dmp
memory/4432-13-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 2056 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 1852 wrote to memory of 2056 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/1852-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp
memory/1852-1-0x0000000000330000-0x0000000000346000-memory.dmp
memory/1852-6-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1832-9-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/1832-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/1852-12-0x00007FFA49283000-0x00007FFA49285000-memory.dmp
memory/1852-13-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240419-en
Max time kernel
137s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 436 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 436 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/436-0-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp
memory/436-1-0x0000000000760000-0x0000000000776000-memory.dmp
memory/436-6-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2984-9-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2984-11-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/436-12-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
141s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 3112 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 3616 wrote to memory of 3112 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3616-0-0x00007FF8AF253000-0x00007FF8AF255000-memory.dmp
memory/3616-1-0x0000000000090000-0x00000000000A6000-memory.dmp
memory/3616-6-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1480-9-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp
memory/1480-11-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp
memory/3616-12-0x00007FF8AF253000-0x00007FF8AF255000-memory.dmp
memory/3616-13-0x00007FF8AF250000-0x00007FF8AFD12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 3348 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 3144 wrote to memory of 3348 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/3144-0-0x00007FF84CE13000-0x00007FF84CE15000-memory.dmp
memory/3144-1-0x0000000000780000-0x0000000000796000-memory.dmp
memory/3144-6-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4496-9-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp
memory/4496-11-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp
memory/3144-12-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240419-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2772 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/2772-0-0x00007FFFFB493000-0x00007FFFFB495000-memory.dmp
memory/2772-1-0x0000000000A20000-0x0000000000A36000-memory.dmp
memory/2772-6-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1396-9-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/1396-11-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/2772-12-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2732 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/2732-0-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp
memory/2732-1-0x00000000009F0000-0x0000000000A06000-memory.dmp
memory/2732-6-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/2208-9-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/2208-11-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/2732-12-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5012 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 5012 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | then-wheel.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | then-wheel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/5012-1-0x0000000000C00000-0x0000000000C16000-memory.dmp
memory/5012-0-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp
memory/5012-6-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3540-9-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/3540-11-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/5012-12-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
139s
Max time network
145s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 5052 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/5052-0-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp
memory/5052-1-0x00000000003A0000-0x00000000003B6000-memory.dmp
memory/5052-6-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4720-9-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp
memory/4720-11-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp
memory/5052-12-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp
memory/5052-13-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240419-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2764 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 2764 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/2764-0-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
memory/2764-1-0x0000000000490000-0x00000000004A6000-memory.dmp
memory/2764-6-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3432-9-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3432-11-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/2764-12-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
136s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 692 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
| PID 2696 wrote to memory of 692 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bring-recorder.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp |
Files
memory/2696-0-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/2696-1-0x00000000009A0000-0x00000000009B6000-memory.dmp
memory/2696-6-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/4352-9-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/4352-11-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/2696-12-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/2696-13-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240426-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3692 wrote to memory of 3640 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 3692 wrote to memory of 3640 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | action-yesterday.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | action-yesterday.gl.at.ply.gg | tcp |
Files
memory/3692-0-0x00007FFD2B183000-0x00007FFD2B185000-memory.dmp
memory/3692-1-0x0000000000270000-0x0000000000286000-memory.dmp
memory/3692-6-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1796-9-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp
memory/1796-11-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp
memory/3692-12-0x00007FFD2B183000-0x00007FFD2B185000-memory.dmp
memory/3692-13-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 1832 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:23638 | tcp | |
| US | 147.185.221.19:23638 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/1832-0-0x00007FF994563000-0x00007FF994565000-memory.dmp
memory/1832-1-0x0000000000A70000-0x0000000000A86000-memory.dmp
memory/1832-6-0x00007FF994560000-0x00007FF995022000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/3816-9-0x00007FF994560000-0x00007FF995022000-memory.dmp
memory/3816-11-0x00007FF994560000-0x00007FF995022000-memory.dmp
memory/1832-12-0x00007FF994563000-0x00007FF994565000-memory.dmp
memory/1832-13-0x00007FF994560000-0x00007FF995022000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-01 07:48
Reported
2024-06-01 07:51
Platform
win11-20240508-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\uwumonster.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 236 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
| PID 236 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.19:23638 | bring-recorder.gl.at.ply.gg | tcp |
Files
memory/236-0-0x0000000000870000-0x0000000000886000-memory.dmp
memory/236-1-0x00007FF829673000-0x00007FF829675000-memory.dmp
memory/236-6-0x00007FF829670000-0x00007FF82A132000-memory.dmp
C:\Users\Admin\AppData\Local\uwumonster.exe
| MD5 | 222c2d239f4c8a1d73c736c9cc712807 |
| SHA1 | c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c |
| SHA256 | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d |
| SHA512 | 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02 |
memory/1444-9-0x00007FF829670000-0x00007FF82A132000-memory.dmp
memory/1444-11-0x00007FF829670000-0x00007FF82A132000-memory.dmp
memory/236-12-0x00007FF829670000-0x00007FF82A132000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |