Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-jnkgvaee2z
Target a ton of ya.zip
SHA256 e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Threat Level: Known bad

The file a ton of ya.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Executes dropped EXE

Drops startup file

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:48

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

130s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2776 wrote to memory of 2360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1868 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 708 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 708 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 708 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8D4C6E91-67BA-42DB-BF9C-8DDE79B39B12} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 147.185.221.19:23638 tcp

Files

memory/1868-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

memory/1868-1-0x0000000000C60000-0x0000000000C76000-memory.dmp

memory/1868-6-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/1868-7-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2608-11-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

memory/1868-12-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2360-15-0x0000000001370000-0x0000000001386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.bat

MD5 6f33c0d2f0b0df489fbecf20af6d689c
SHA1 30b1794082037127fa3c8a8d85a0681819584814
SHA256 9746258a6915efb38a9fec84d3738a89a158941943ab44d8ded973240323ce8d
SHA512 ededc8fcfcac4b855e4062e525bf674933d0d769e69966dfd5f446c01c10144260c563dbf284decb22c8dac02533215ea28e8226aca02287ee0fc316082ecba5

memory/1868-26-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

130s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2164 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2164 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2164 wrote to memory of 2632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2164 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2164 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2164 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3008 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3008 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 324 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 324 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 324 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9E38E293-59A9-4784-8430-91A4536B5373} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp11BC.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/3008-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

memory/3008-1-0x0000000001360000-0x0000000001376000-memory.dmp

memory/3008-6-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/3008-7-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2632-11-0x0000000000090000-0x00000000000A6000-memory.dmp

memory/3008-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/344-15-0x0000000000950000-0x0000000000966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp11BC.tmp.bat

MD5 41219be6bf9bf57e54e70bc855361363
SHA1 49a336e99ba17b2754c258bdad5f10e61c7fc88d
SHA256 679a9d68e229cea5c4c5601f15294d37688a107026845ef81b6fbd7d0bbd7fb6
SHA512 643d209fb0a70e14f2bdc0884a4271605e0ac7e428aa1e17e2b4abb9e6910ea04bfcaf6411448abfd1572d1492cd1e4fe43bb592ab2c2fc70b133a2634ef5219

memory/3008-26-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20231129-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2680 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2680 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2680 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2680 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2680 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2680 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1244 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1244 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1244 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1244 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1460 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1460 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1460 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6E611D65-91D7-4BBC-9907-914E641BAE94} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1244-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

memory/1244-1-0x0000000001160000-0x0000000001176000-memory.dmp

memory/1244-6-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/1244-7-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2472-11-0x0000000001360000-0x0000000001376000-memory.dmp

memory/1244-12-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/1284-15-0x0000000000100000-0x0000000000116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp.bat

MD5 34afeaf58ad6eaea6403099fed10c0df
SHA1 a5facdf5d21638c8f4f3a0e9a53156d4cc8d51c5
SHA256 9b3ca35423dc793d85bcd4cfb8b5fe8cab0263ef8ab5a48690c7c8ad56864cc8
SHA512 5cdf51286c3021a2e655798cccfc7b4ad406e2c73f7be99f04c03490f62457666c4ed5e138736aa6fb3be4bfc7c3e0ca79fc7cbde3584fe11ac619328252ae09

memory/1244-26-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240220-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2664 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2664 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2364 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 576 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 576 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3ED1B3CD-C092-47FE-BB34-571F853ADA02} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2364-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

memory/2364-1-0x00000000008F0000-0x0000000000906000-memory.dmp

memory/2364-6-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2364-7-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2512-11-0x0000000001140000-0x0000000001156000-memory.dmp

memory/2364-12-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA2E.tmp.bat

MD5 fa154640dc8a244f749d2295df980677
SHA1 1325fd83911368dc337c47425ba77d178587a332
SHA256 b3cba19f4d7fbde38a913235689765677c502694cdbed6a04d76ff1c5ae05a26
SHA512 a1af5cfbf342b815e1305001c726ba89e61932922aee6f7ab8fbe78672f3d1ccea909721b9e286436ff257eae94e1d0522915a7051f549202e74467248498d90

memory/2364-25-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1688 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1688 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2496 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2496 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2496 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1688 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1152 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1152 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E4334DB1-52A0-4332-991B-7B4A89DD32A2} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1688-0-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

memory/1688-1-0x0000000000AF0000-0x0000000000B06000-memory.dmp

memory/1688-6-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/1688-7-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2460-11-0x0000000001000000-0x0000000001016000-memory.dmp

memory/1688-12-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat

MD5 dbdb2e442cd0f1181452ff4e7878cd90
SHA1 d666a344d9b626276371d0a3263553340cd2c94f
SHA256 a4f230ecc0bbe148c7bcc199ff80d0d814b9ae252ad8afd3c78d1956e468fb17
SHA512 0a4f76e8b3153619719571feee5ad177093f36b2957bd8e35f60f9d3b2a68c2127fd71835b79d894cd5bb7b5487b0ec8e1933c8157497552787ea3223d2a11cc

memory/1688-25-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

128s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2624 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1712 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 796 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 796 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {395E6BC6-E0B8-416F-9B1E-241FA68078DC} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB95.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/1712-0-0x000007FEF5053000-0x000007FEF5054000-memory.dmp

memory/1712-1-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/1712-6-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2696-10-0x00000000000A0000-0x00000000000B6000-memory.dmp

memory/1712-11-0x000007FEF5053000-0x000007FEF5054000-memory.dmp

memory/1712-12-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2624-15-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB95.tmp.bat

MD5 a46ed683ef8c7e11a6ef7a863af14f40
SHA1 55a2b2739b942fa92963408204cc9a9de55599d3
SHA256 a9dd3aae8612edb18b7d8020699c6fa14b6240375d4a4b1cbf641e935845dd31
SHA512 105ec67ca52f92bd9a79084ed194b5fc90bd4274334661bf38f3a62c9eb307201af017db8376972811386956678cd2c51d65836dbafcdc047bbb2a38f994e7e0

memory/1712-26-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

129s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2656 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2656 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2656 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2656 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2656 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2656 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2168 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2236 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2236 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D5745FCD-FF9C-4945-9AF5-50513878561F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp68A2.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2168-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

memory/2168-1-0x0000000000C40000-0x0000000000C56000-memory.dmp

memory/2168-6-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2168-7-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2580-11-0x0000000000350000-0x0000000000366000-memory.dmp

memory/2168-12-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/1808-15-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68A2.tmp.bat

MD5 124ffe5e251fe4148933f029fd5b7cc7
SHA1 07a2b5b2a0bffb3550d31057dfa59673df55ddef
SHA256 c9333ebbef652f2c3e8c8a5b883b614e2ca0b1717fc06a47dbca70ab46419ca7
SHA512 c9db6dc866518cda96c17782c2a9aa1af0232607e518675170f4681ceec65d1db3ebd9b7efab8290b05b4a25365b181b90e9445b80c2184f67a332ed331f26b1

memory/2168-26-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240419-en

Max time kernel

129s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2512 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2512 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2512 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2512 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2512 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2512 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1968 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1968 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1968 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1968 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0E2F3C29-C8A1-438E-B01F-AA714C78B2F3} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/1968-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

memory/1968-1-0x0000000000A80000-0x0000000000A96000-memory.dmp

memory/1968-6-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

memory/1968-7-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2640-11-0x0000000000B20000-0x0000000000B36000-memory.dmp

memory/1968-12-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

memory/1724-15-0x00000000002B0000-0x00000000002C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp.bat

MD5 aaf6443834cbadce8a27acf1055737a1
SHA1 bbb97715661e5412d27ad55d8b07289af9ed020e
SHA256 1ca58e49f5183a6c8d77d731f7e2b0cc1ee8e8ce2ee6807c8f9b09661b416493
SHA512 bdb00cffe825c2ff4b1ee994837fd8c8b8e1735ef263e69d479f1cc3ec101fd6ed3c2cf98609eaa9c7afad4a98e5c4cda41031d05801f58c95d5927ecd73e84a

memory/1968-26-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2516 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2516 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2516 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2516 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2516 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2516 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 768 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 768 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6D16C370-A192-474E-B7C4-B9EFE089952F} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp17A6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2424-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

memory/2424-1-0x0000000000D80000-0x0000000000D96000-memory.dmp

memory/2424-6-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

memory/2424-7-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2548-11-0x0000000000B20000-0x0000000000B36000-memory.dmp

memory/2424-12-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

memory/2176-15-0x0000000000080000-0x0000000000096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp17A6.tmp.bat

MD5 947be4a54f08a0802fc5a3f807a4b96f
SHA1 dbbbeea3e789bffff0dd4cff48af3c648fbc0730
SHA256 335bf9de2ce94c086964aaa8c7ed5b583d3a808482e4ecb5423d5e964bf6b851
SHA512 2c587f9a8f6cd497a2cdbeb5628446067c848e04af300d892f0cff577f3b95e6b720893cc8fc50799a615ee69342d73eb9b135687cac9b9f5428dea43e615cfb

memory/2424-26-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240419-en

Max time kernel

131s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2836 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1620 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6624018C-0626-4237-A31E-9F5FD14E5A75} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13BF.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/1620-0-0x000007FEF51B3000-0x000007FEF51B4000-memory.dmp

memory/1620-1-0x00000000012C0000-0x00000000012D6000-memory.dmp

memory/1620-6-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

memory/1620-7-0x000007FEF51B3000-0x000007FEF51B4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2540-11-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/1620-12-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

memory/1360-15-0x00000000000F0000-0x0000000000106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp13BF.tmp.bat

MD5 76a7e6c70ef2816880ea1ec0bd97e00a
SHA1 a5d8e895a980ce0891673edc80b71240558a0553
SHA256 fb5d324f229fbd8d30d7233bca2c1723637e5744c3d3957163ada821c39de8fb
SHA512 4c57d25fd859b251d530629a3a32ab151cea2522233dfbf5ea4b5405f4acd52941d35322fd15c1c2174e99df9622a6973b44d749111de78dd0794112b2a04441

memory/1620-26-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

128s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2828 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2828 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2828 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2828 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2828 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2828 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\System32\schtasks.exe
PID 2740 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 680 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 680 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {49981470-EEA7-4063-84D4-D113F5296E21} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2740-0-0x000007FEF6023000-0x000007FEF6024000-memory.dmp

memory/2740-1-0x0000000000190000-0x00000000001A6000-memory.dmp

memory/2740-6-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

memory/2740-7-0x000007FEF6023000-0x000007FEF6024000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2088-11-0x0000000000320000-0x0000000000336000-memory.dmp

memory/2740-12-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

memory/1528-15-0x00000000013A0000-0x00000000013B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp.bat

MD5 dc0d1d50c825eedfda384b34c12e41eb
SHA1 89d211fd4c9716aadce7ddfa033357f092c1ed3e
SHA256 73b3d6917ca0acf1c15dbac7df2eb196a209f35863584eca3874789594ab4ad7
SHA512 c3962651db66368fe1db8a113fd2202d8495f76dd5f382abaf060330ff65cd287407bb6395da3ac6e056679ce9e5286edae4ed8d2bd3f3c998e1080396a7aa28

memory/2740-26-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

128s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2460 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2460 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2172 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2928 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2928 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2928 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E92B934A-DC90-44E7-853C-D2F722F9FF0D} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp730E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2172-1-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

memory/2172-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

memory/2172-6-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2172-7-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2836-11-0x0000000001060000-0x0000000001076000-memory.dmp

memory/2172-12-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp730E.tmp.bat

MD5 b129e91f90d837fb450d029ea41dd097
SHA1 ce341fb96bf33d585cd8a38277604e0fa7619200
SHA256 6bfcc957a0c64cf8793d3fc4c8d1b54e975809ec528f55553b094befa04f7ebf
SHA512 d859ecd1bf0ca5ad7bde1195bc85f2d07005a3d3b5d764d9c3c0fc5c1918ad4a0685d7598335a2509c58e080aa2a5b51dc29e648ee72a34f481a57914a0df5a4

memory/2172-25-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

132s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3048 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3048 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3048 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3048 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3048 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2352 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 604 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 604 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 604 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C3891923-4F39-4979-893A-9D5E83E1F017} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2352-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

memory/2352-1-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

memory/2352-6-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

memory/2352-7-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/852-11-0x0000000001100000-0x0000000001116000-memory.dmp

memory/2352-12-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

memory/2224-15-0x0000000000210000-0x0000000000226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.bat

MD5 15f3e925752d08af2ee833c1b4d05f7c
SHA1 bee0c1df92e08d32e92f159228f0f14ba07fdc6e
SHA256 0a363a4f88479cc8badc34b9dd7c92f8cb6c86df77a1c755b5a36f916e55d000
SHA512 3db103eed610c95050ec1efba678a54e7d627765bf77eb89ea5e52198677150adf52c5520a33dd6d7f7818420923c4d9623f27bbd08be1382ee501c3893b2a0f

memory/2352-26-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20231129-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2948 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2948 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2836 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2836 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2948 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2520 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2520 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {95AC87A0-ADFB-4099-89C0-189802E2163A} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp628A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2948-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

memory/2948-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp

memory/2948-6-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/1884-10-0x0000000000F40000-0x0000000000F56000-memory.dmp

memory/2948-11-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

memory/1196-14-0x00000000013B0000-0x00000000013C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp628A.tmp.bat

MD5 656eafb1b2fc27690b8e41564ac76934
SHA1 3e2ca7dc408c9eaa2e184d954197bf5f2fccc455
SHA256 c8a10b9cd61877f97cba61810810937aacca472a64422f5a2e28ec42bb1c366d
SHA512 330f54db117bd34298daa6fea991342203918e27e170a0da3687c7263c783841b0d69e87d1cd186cbf0053a9b354dd3929af8c0d4d825da1d257accf0e1df8f3

memory/2948-25-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2936 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2936 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2936 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2936 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2936 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2936 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2308 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2308 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3953F6E9-1442-4E61-9570-32F0D84FA8A7} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/2936-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

memory/2936-1-0x0000000000330000-0x0000000000346000-memory.dmp

memory/2936-6-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/2936-7-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2536-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2936-12-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/880-15-0x00000000011D0000-0x00000000011E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp.bat

MD5 e46bde09a348b86940f2c60affe21287
SHA1 d223e6fcd155a33a9e52188cf87b8ee3170fe51b
SHA256 8e8a60eadbde0bdaba4e8a888f5673897b19ec5ec61b6d8d956de5ad897b89ac
SHA512 49bb330a798c3c80f8827edd7d105dbe81f3e33579b646ff37803a32ac6722dcf996c051ebb387a6042a813aabf672cebd5f7fb511b29cdcbad23bc2be8f6c07

memory/2936-26-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2532 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2532 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2532 wrote to memory of 2500 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2532 wrote to memory of 660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2532 wrote to memory of 660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2532 wrote to memory of 660 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2236 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2864 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2864 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1934CC14-272A-474C-920D-CA1E49B4C69A} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp344A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2236-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

memory/2236-1-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2236-6-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2236-7-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

memory/2236-8-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2500-12-0x0000000001340000-0x0000000001356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp344A.tmp.bat

MD5 0b91a7c086cd1fd0adc700aae8b096a3
SHA1 963176e466635bcb9a77c1d5106199c66b535092
SHA256 f336ba0d550cb9bc44e6be6f44f8699d3a351b71c8c03c70a7c7fa7ebf40fd10
SHA512 09d54ddf51d1fa0e44da442ccf622913719bb1d8943d895fe93b0ad7776edc1ff53ad64c50223418e1a30a9b55f87a8c40e67a7c49b8a0645c066c8887dba523

memory/2236-25-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

132s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2400 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2400 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2400 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2104 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2104 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C83BF38D-2BC9-4ADA-A62C-2D275DC9D99A} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp28F4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/1928-0-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

memory/1928-1-0x00000000010C0000-0x00000000010D6000-memory.dmp

memory/1928-6-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/1928-7-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2464-11-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/1928-12-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/2764-15-0x0000000000CF0000-0x0000000000D06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp28F4.tmp.bat

MD5 523db7d5f2881527cc19478620f82fa7
SHA1 cc4ebab279ccee5354671f852ed0d338fa71c271
SHA256 29ec1d7e622a297e1ad024eead098f37cfc70e8bb6d0f507a5db9df3902ff357
SHA512 dd0afd2ff34ef937d70626a3a20d46f7246a70fab266392bf0808fbdfa8e735d8c02b180da5036dd5334333cfd32faf74790291c8e1c6eb0c20c0ddd404fca52

memory/1928-26-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2500 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2500 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2500 wrote to memory of 2464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2500 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2500 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2500 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2908 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {478B731D-377A-4E8E-AD72-F0F208614A66} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp197A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2908-0-0x000007FEF5A33000-0x000007FEF5A34000-memory.dmp

memory/2908-1-0x0000000001230000-0x0000000001246000-memory.dmp

memory/2908-6-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

memory/2908-7-0x000007FEF5A33000-0x000007FEF5A34000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2464-11-0x0000000000E60000-0x0000000000E76000-memory.dmp

memory/2908-12-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

memory/1540-15-0x0000000000F70000-0x0000000000F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp197A.tmp.bat

MD5 e3e0110cfdb9c7e5395ac672838798e1
SHA1 46909b37669a7750baf8e98102a66b86cf34a77f
SHA256 8bde7a6b8dc5d2372636d6d3b48516f4100aa13efb0486ec357a506b45561b41
SHA512 e57b3b68e14ec48c00c8b9ca55cd6dd53cc0c26c49c7dc6b4248efe6bf0f72ce2de3f91c1c8425d804de78f07458324cfeaf85aabf19ca9af73c8e3e27b670fa

memory/2908-26-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240220-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1732 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1732 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F9716C2E-F4FE-4469-B82E-A0FB2F7B4D4A} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/3044-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3044-1-0x0000000001380000-0x0000000001396000-memory.dmp

memory/3044-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/3044-7-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2544-11-0x0000000001290000-0x00000000012A6000-memory.dmp

memory/3044-12-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp.bat

MD5 83fdb17be0035a3028bc4d3ce6a811ce
SHA1 c20d10c80a646e191f6ad141af87560852353122
SHA256 3e2b6c18a990c237b819181bb2324383c1286e3d6d42c15af4f74cfdfe32fa9e
SHA512 c83c5900dfa0dfdfffff15ba06e03ee9fc378024ef9c72f4f61c0ab15b0075e7e26d75c052d0f799f5f16ca3629c3802c4548f8fbfd53f51b9188d1a6a737294

memory/3044-25-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240220-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1736 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1736 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1736 wrote to memory of 2784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1736 wrote to memory of 1144 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1736 wrote to memory of 1144 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1736 wrote to memory of 1144 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2172 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2172 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 564 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E223C531-9C39-4A92-9683-D592ED0CDC8C} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp168D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2172-0-0x000007FEF5383000-0x000007FEF5384000-memory.dmp

memory/2172-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp

memory/2172-6-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2172-7-0x000007FEF5383000-0x000007FEF5384000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2172-12-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2784-11-0x0000000000B30000-0x0000000000B46000-memory.dmp

memory/1144-15-0x0000000001020000-0x0000000001036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp168D.tmp.bat

MD5 63ace89b250242d413784c39b28622f8
SHA1 2c09109e454ec0fe6c869d22c15848ae4940807a
SHA256 d5ccea0d2a8fc106329b7e64cab1c1f93df15f9f010b87d3d9eb3b9ef945ad23
SHA512 f24bba3ffd72c79bbd7a16ea752222d3eebf88f07a22d55e3447e0dd39d8a7329aaa3a13dade272cae76b8ed0c1231bfbfbfec12d7fc24da2662d887ff415847

memory/2172-26-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2112 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2112 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2464 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2224 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2112 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2112 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2112 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {94A60D25-420D-486A-B8EB-274AF44AA32D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2112-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

memory/2112-1-0x0000000001090000-0x00000000010A6000-memory.dmp

memory/2112-6-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2112-7-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2512-11-0x0000000000C60000-0x0000000000C76000-memory.dmp

memory/2112-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2224-15-0x0000000000F50000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE6.tmp.bat

MD5 d843ea36d0d4ea36bb8bf776e5f34fcd
SHA1 58b69f365cb703bb37c4e3b5732419cd6d95486b
SHA256 84fd8792a734660b2e919b3dcf52da46108141f080145219b1863f159bfdd918
SHA512 1a05138d324079f29e4867c22558c08c7899180b0ba191115c2339d56ea120f17f462cc5a129f9894dd7e2e4c0e59970cff3c1c964d8e09f39f14718e6b2b85d

memory/2112-26-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2604 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2060 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2300 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2300 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DB73AD04-E87D-4CEE-AEFE-90B5EFDBE264} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2250.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp

Files

memory/2060-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

memory/2060-1-0x0000000000030000-0x0000000000046000-memory.dmp

memory/2060-6-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/2060-7-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2432-11-0x0000000000EF0000-0x0000000000F06000-memory.dmp

memory/2060-12-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2250.tmp.bat

MD5 e076886210a251676cf1d8adf56c2bf8
SHA1 2e78cddbfa78ab63e86941b34636f9189c1389ee
SHA256 77427f4fa9f067439289d621ec5d76acc1f0764951defd497d1c52c9e642fd7d
SHA512 0ba4e7c29085d133ac5e88af66814eb3fb315452bd45dcee3fa4c469106fc6cee9dc6d4acd2c367d9e679019c54779084f2855688c2ea96721027275070ea33b

memory/2060-25-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2104 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2104 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2604 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2104 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2104 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2104 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2864 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2864 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7D241036-2CB7-4F72-95A7-D8482EE066DF} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D12.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/2104-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

memory/2104-1-0x0000000000A20000-0x0000000000A36000-memory.dmp

memory/2104-6-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

memory/2104-7-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2612-11-0x00000000008F0000-0x0000000000906000-memory.dmp

memory/2104-12-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

memory/2816-15-0x00000000000A0000-0x00000000000B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1D12.tmp.bat

MD5 11457198688738047152370253fa72ad
SHA1 6d629c4232436eeecd81f8f9f3a4e760dda0aee8
SHA256 e50b1221fd814e00bb95d44debfe955eac76d663f67a7b771f4b1ef16c52895b
SHA512 9dbeddf44af37510de42b15ec065242a90c629213d48df2fa7bbbf36c99941ae1489dc1c044b4c5eb1405e394f81c3d88adf0de35694edd8281b9ddc13ca1dc2

memory/2104-26-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 1464 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1780 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1780 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2ABEC9E2-E01E-4E50-82F0-5AA56D67193C} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/2972-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

memory/2972-1-0x0000000000A60000-0x0000000000A76000-memory.dmp

memory/2972-6-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2972-7-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2904-11-0x0000000000240000-0x0000000000256000-memory.dmp

memory/2972-12-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/1464-15-0x0000000000E30000-0x0000000000E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp.bat

MD5 977dfeaef8a338e67e8d1d28bf26575f
SHA1 4207b1ee5469cee4cf4e6c90ac06be80fe381096
SHA256 56ce998be49172f798118e25c955e01988cba8c4fa8fa89bcb080fb1d51c7f76
SHA512 5ebb90ed1c770863d653deb0f1890624ed58986fdfbfeda57dc8b40f4e91cb4439946e3ec351a2d4f3e58ba3965d7093c2f085e354afc48bf844ad61d031ae32

memory/2972-26-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240215-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2584 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2584 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2584 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2584 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2584 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2584 wrote to memory of 2680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 3016 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 884 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 884 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 884 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {767ECC11-9981-4729-8B36-994FF073AF40} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/3016-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

memory/3016-1-0x0000000001050000-0x0000000001066000-memory.dmp

memory/3016-6-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

memory/3016-7-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2416-11-0x0000000000240000-0x0000000000256000-memory.dmp

memory/3016-12-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

memory/2680-15-0x0000000000140000-0x0000000000156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.bat

MD5 60745f5b5f87b91f568e357abc26d9c3
SHA1 009f1bcdc6ce3a47937a6e4ebc3a303e1fdd4550
SHA256 398c1fbe08c29d3783072c7f7d55e38b68f6f22d6f2fbc905092f5d87dba7e46
SHA512 0cc3939d5cd7331a8c9fa7147fcc2e2a8025de0e1b97365aea38cd12be2914d32c1da9b3394a205949271db95edd699c5ddd13fec663cba6ff46e0219003593f

memory/3016-26-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

130s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2464 wrote to memory of 2528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2100 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2208 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {77CB423F-C7DC-4D21-816A-A71B9E5E33E7} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2208-0-0x000007FEF5FC3000-0x000007FEF5FC4000-memory.dmp

memory/2208-1-0x00000000000A0000-0x00000000000B6000-memory.dmp

memory/2208-6-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/2208-7-0x000007FEF5FC3000-0x000007FEF5FC4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2528-11-0x0000000000060000-0x0000000000076000-memory.dmp

memory/2208-12-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/2100-15-0x0000000000BF0000-0x0000000000C06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat

MD5 a5cc3adc10fcc13fa34e23840f511e94
SHA1 2fd20d178f2c77b93c4b9534439c4d4645eaef05
SHA256 5d2cda56188e8016a68f55ef05aab09c2797238dca68ddea68a59edf6c0d82f5
SHA512 c06ba1fca924183e0002847b41ae8c39b1875574ca43f37e6966672e6d866a6f98f728118bdba0c9ab74367477d670e6b6482a307b43d8c4436e5e0ad89d905a

memory/2208-26-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2224 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2224 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2388 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2388 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2388 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2388 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2388 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2388 wrote to memory of 2136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2224 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2224 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2224 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2224 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AB48CC92-2253-4039-99EC-7DEAFC142BD4} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/2224-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/2224-1-0x00000000010C0000-0x00000000010D6000-memory.dmp

memory/2224-6-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2224-7-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2452-11-0x0000000000320000-0x0000000000336000-memory.dmp

memory/2224-12-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2136-15-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2224-26-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp.bat

MD5 6f34dd87a4c3d188085649ca51dd80cd
SHA1 3a3b06a5505642eadba68469689fdaf7a893fec3
SHA256 ef710180b77c892573c8d7e783c0496afa66ff9f78a8d216a2058d52ce7d546e
SHA512 b6b7ae143dd08cc43e63caea7d7d3d5b31a7decae884d12a53834da2d4cf5aa8e7350c84239e6a166d8b9abbd3ee153d5f6fe5b43bfbe827a36257b926aca49a

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

127s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2800 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2800 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2800 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2800 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2800 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2800 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2548 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DC8996E0-5224-405B-B1A9-6C042277E8B9} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp194B.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2548-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

memory/2548-1-0x00000000011D0000-0x00000000011E6000-memory.dmp

memory/2548-6-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2716-10-0x00000000001D0000-0x00000000001E6000-memory.dmp

memory/2548-11-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

memory/2548-12-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/1676-15-0x0000000001030000-0x0000000001046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp194B.tmp.bat

MD5 d5eb2c1a1ffdbb6ae9cb7579866c521b
SHA1 60b870a4ef18e25d5a81d3aa15e47e940bfac324
SHA256 60dc6da73d6001992d002483525bf2562a75232dfbfeaedc97374fc14bb45292
SHA512 66e37601eeab1aed24010faef2e7672c42a62dab31dce101b5a3c5e1960083a9ce0ec52f8cded44ae027167216b796e5bad00692dd6798642976230479cf0e91

memory/2548-26-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240419-en

Max time kernel

130s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1824 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1824 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 2640 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2640 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2640 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2640 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2640 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2640 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1824 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1824 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1824 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\System32\schtasks.exe
PID 1824 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1400 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1400 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {19988ED8-DC6E-4D69-BC07-93A807180092} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFE2.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 147.185.221.19:23638 tcp

Files

memory/1824-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

memory/1824-1-0x0000000000850000-0x0000000000866000-memory.dmp

memory/1824-6-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/1824-7-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2468-11-0x0000000001050000-0x0000000001066000-memory.dmp

memory/1824-12-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/1196-15-0x0000000000120000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFFE2.tmp.bat

MD5 909e4c1ece2bf6c829909c6ea2463a56
SHA1 0f6c380b43dbc743d12be9e64b60c2fede7e9d58
SHA256 e28c1c724efaac7769a1a433e95314ba3de29c7f3ec906532d6a051952ecdeac
SHA512 6c483d5ad375dd010274940979339c044ebe6699108da65fc2ef933613069905a9df662fd5276a1099bea3f80a22056398313080591da9de06914c67525be2b9

memory/1824-26-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240221-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2700 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2700 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2700 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2868 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe C:\Windows\system32\cmd.exe
PID 752 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 752 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 752 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4B045D07-A34A-4255-972B-1C806AA7C53F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CB.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 127.0.0.1:23638 tcp
US 8.8.8.8:53 then-wheel.gl.at.ply.gg udp
US 147.185.221.19:23638 then-wheel.gl.at.ply.gg tcp

Files

memory/2868-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/2868-1-0x0000000001110000-0x0000000001126000-memory.dmp

memory/2868-6-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2868-7-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2592-11-0x0000000000C50000-0x0000000000C66000-memory.dmp

memory/2868-12-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2984-15-0x0000000000C70000-0x0000000000C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5CB.tmp.bat

MD5 cd463823f1cde9ac121437a188f24977
SHA1 784c8d0e6883d65476c4aa415d5b79742172de44
SHA256 8d5c7a3102d237e57980f795828156ce91320da1e1a293652f60ac538b2bd3dd
SHA512 bbe280050cd55d770077cd16cd9a3a04bcf8e44b8fc2d663715f4a726fe073203e891659c3cbe313a8c85646255556a0a69f1b9b0eb2541cf21eabc5c6a11705

memory/2868-26-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240508-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2472 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2472 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2472 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2472 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2472 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2472 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2432 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E58556FE-E8D4-4AF7-BDA8-ECC55A7A2944} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 action-yesterday.gl.at.ply.gg udp
US 147.185.221.19:23638 action-yesterday.gl.at.ply.gg tcp

Files

memory/2432-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

memory/2432-1-0x00000000013C0000-0x00000000013D6000-memory.dmp

memory/2432-6-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

memory/2432-7-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2380-11-0x0000000000E10000-0x0000000000E26000-memory.dmp

memory/2432-12-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp.bat

MD5 949107bd485b2063a1b151291dc1872e
SHA1 848878334920b2953d0b0ef47c061ce45f182be6
SHA256 7af6b0515ffda4dd2d33fa59b5b87f8978837b5703b4517cc1d6d5dbd3f789e2
SHA512 03a725e00622c9bf43197dcb519e65154b4711d25b14e50a97e0e4df854b503219a03e0becfce7ac71e72fa20ec33832c49a9ce48e617a7726bc079a39ee2a3f

memory/2432-25-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:48

Reported

2024-06-01 07:52

Platform

win7-20240215-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe" C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\uwumonster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1920 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1920 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 2464 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 2840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 1264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 1264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 2464 wrote to memory of 1264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\uwumonster.exe
PID 1920 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1920 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1920 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\System32\schtasks.exe
PID 1920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3048 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3048 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D133B3DF-715F-47C8-899D-572897636A29} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Users\Admin\AppData\Local\uwumonster.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "uwumonster"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp121A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bring-recorder.gl.at.ply.gg udp
US 147.185.221.19:23638 bring-recorder.gl.at.ply.gg tcp

Files

memory/1920-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1920-1-0x0000000000110000-0x0000000000126000-memory.dmp

memory/1920-6-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\Users\Admin\AppData\Local\uwumonster.exe

MD5 222c2d239f4c8a1d73c736c9cc712807
SHA1 c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256 ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512 1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

memory/2840-10-0x0000000001050000-0x0000000001066000-memory.dmp

memory/1920-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp121A.tmp.bat

MD5 24bbe403f9e3621f07b31ad5e144fd69
SHA1 c55487b00933e186adeedf8f9873f973c44d1e05
SHA256 b52eb6d608d1a61a0ddd16c45bc4e00d2357fa7f067c208d30047b16dd37f8e5
SHA512 ce5c8751365ff055fe68e2f195d69e8c1474ae4bcdb624ede5ebd42440c1c136a3770721346a9e88ca54ab1baab741b8a3198e721a9b32936d3946e1afabff93

memory/1920-24-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp