xworm | a0756ab29accc2be2e7635acc8940e3220cd7dd9eb45885e9c8c84c820af7218

Analysis

max time kernel
1798s
max time network
1805s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30/09/2024, 18:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

why-so-serious.exe
Size

34KB
MD5

075e5dfc2e2877d810d9eb361d0dfe33
SHA1

3b4c8856d50de13242bbfd25324c16b6c6500d8d
SHA256

a0756ab29accc2be2e7635acc8940e3220cd7dd9eb45885e9c8c84c820af7218
SHA512

c0f6426a3acd4d2283724b3f86426efb91fd9f4d2dcb8b5dcc714a30652802277d46784bafda0151954101ac3c49aaba4acd33e9ef90218f8d3952573fc12429
SSDEEP

384:gSyXlquOae6oKoBmoDnnGvBLmlVCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuistt:XyXiBDAtYVC4CaV9FZ9jAPOjhj/4/

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lefferek-42016.portmap.host:61672

budget-compiled.gl.at.ply.gg:61672

Mutex

KvL0ZeqSklQx7juN

Attributes

Install_directory
%AppData%
install_file
DiscordClient.exe

aes.plain

1
NheZ6mJoEYbJFIE2DmVHDA==

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4152-1-0x0000000000970000-0x000000000097E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	why-so-serious.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	why-so-serious.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	why-so-serious.exe

C:\Users\Admin\AppData\Local\Temp\why-so-serious.exe
"C:\Users\Admin\AppData\Local\Temp\why-so-serious.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4152

Network

DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

8.8.8.8.in-addr.arpa

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

22.221.185.147.in-addr.arpa

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

22.221.185.147.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.43
DNS

43.229.111.52.in-addr.arpa

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdwus19.westus.cloudapp.azure.com

onedscolprdwus19.westus.cloudapp.azure.com

IN A

20.189.173.26
DNS

26.173.189.20.in-addr.arpa

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

26.173.189.20.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.214.172

bg.microsoft.map.fastly.net

IN A

199.232.210.172
DNS

ocsp.digicert.com

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

172.214.232.199.in-addr.arpa

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.214.172

bg.microsoft.map.fastly.net

IN A

199.232.210.172
DNS

lefferek-42016.portmap.host

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

budget-compiled.gl.at.ply.gg

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

budget-compiled.gl.at.ply.gg

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

budget-compiled.gl.at.ply.gg

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22
DNS

lefferek-42016.portmap.host

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

lefferek-42016.portmap.host

IN A

Response

lefferek-42016.portmap.host

IN A

193.161.193.99
DNS

budget-compiled.gl.at.ply.gg

why-so-serious.exe

Remote address:

8.8.8.8:53

Request

budget-compiled.gl.at.ply.gg

IN A

Response

budget-compiled.gl.at.ply.gg

IN A

147.185.221.22

147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

2.6kB
1.7kB
34
34
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

1.1kB
236 B
6
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

822 B
236 B
6
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

1.4kB
236 B
7
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
120 B
5
3
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
120 B
5
3
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

1.4kB
236 B
7
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

770 B
236 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

782 B
184 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

466 B
172 B
4
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
160 B
5
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
172 B
3
4
193.161.193.99:61672

lefferek-42016.portmap.host

why-so-serious.exe

260 B
200 B
5
5
147.185.221.22:61672

budget-compiled.gl.at.ply.gg

why-so-serious.exe

414 B
132 B
3
3

8.8.8.8:53

budget-compiled.gl.at.ply.gg

dns

why-so-serious.exe

1.1kB
1.9kB
15
14

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

22.221.185.147.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.43

DNS Request

43.229.111.52.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

20.189.173.26

DNS Request

26.173.189.20.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.214.172

199.232.210.172

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

lefferek-42016.portmap.host

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

437 B
650 B
6
5

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.214.172

199.232.210.172

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

budget-compiled.gl.at.ply.gg

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22
8.8.8.8:53

lefferek-42016.portmap.host

dns

why-so-serious.exe

441 B
537 B
6
6

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

lefferek-42016.portmap.host

DNS Response

193.161.193.99

DNS Request

budget-compiled.gl.at.ply.gg

DNS Response

147.185.221.22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-0-0x00007FFD951C3000-0x00007FFD951C5000-memory.dmp

Filesize
8KB

Download
memory/4152-1-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/4152-6-0x00007FFD951C0000-0x00007FFD95C82000-memory.dmp

Filesize
10.8MB

Download
memory/4152-7-0x00007FFD951C3000-0x00007FFD951C5000-memory.dmp

Filesize
8KB

Download
memory/4152-8-0x00007FFD951C0000-0x00007FFD95C82000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.