Analysis

  • max time kernel
    30s
  • max time network
    6s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:02

General

  • Target

    UNBANSEVER.exe

  • Size

    759KB

  • MD5

    30485bfd2d58f3448b9b235a05b9951c

  • SHA1

    183f316fd6201eba056ccb5a8efdece5df6c8f8c

  • SHA256

    d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b

  • SHA512

    758c110ca487b2195581370fbc3021a35ebfaeffc202deedf84be2c1813de6e5cb43947ee3ee4fb2e57e369897b06bd802065a85a9dbd8138444e8471b6af252

  • SSDEEP

    12288:Ink7Er1/zPdaGn+SjpV8VnHGM/GCA9KP91jUwMf+VO:U6idxLj8BHGyRx9d3W+VO

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

45.141.26.194:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe
    "C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe
      "C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\ProgramData\UNBANSEVER.exe
        "C:\ProgramData\UNBANSEVER.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im RiotClienServices.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im RiotClienServices.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im vgtray.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4984
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im vgtray.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3996
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im HTTPDebuggerUI.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3668
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4184
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im KsDumperClient.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4696
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im KsDumper.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1252
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im HTTPDebuggerUI.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4692
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im HTTPDebuggerSvc.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im ProcessHacker.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2672
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:900
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im idaq.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im idaq64.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im Wireshark.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4188
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im Fiddler.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:548
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im FiddlerEverywhere.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:412
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
          4⤵
            PID:2344
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im Xenos64.exe
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:328
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
            4⤵
              PID:1256
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Xenos.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3060
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
              4⤵
                PID:2884
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im Xenos32.exe
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:700
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
                4⤵
                  PID:3808
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im de4dot.exe
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4056
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
                  4⤵
                    PID:4552
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im Cheat Engine.exe
                      5⤵
                      • Kills process with taskkill
                      PID:3812
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                    4⤵
                      PID:644
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im cheatengine-x86_64.exe
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4020
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
                      4⤵
                        PID:996
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
                          5⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1360
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
                        4⤵
                          PID:968
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
                            5⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4500
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
                          4⤵
                            PID:3240
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im MugenJinFuu-i386.exe
                              5⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4588
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                            4⤵
                              PID:4760
                              • C:\Windows\system32\taskkill.exe
                                taskkill /f /im cheatengine-x86_64.exe
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4380
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
                              4⤵
                                PID:1496
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im cheatengine-i386.exe
                                  5⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:944
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
                                4⤵
                                  PID:4916
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
                                    5⤵
                                    • Kills process with taskkill
                                    PID:1808
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
                                  4⤵
                                    PID:1480
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /f /im KsDumper.exe
                                      5⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:436
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
                                    4⤵
                                      PID:1296
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /f /im OllyDbg.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4636
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
                                      4⤵
                                        PID:1132
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /f /im x64dbg.exe
                                          5⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2684
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
                                        4⤵
                                          PID:1468
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /f /im x32dbg.exe
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4132
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
                                          4⤵
                                            PID:752
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /f /im HTTPDebuggerUI.exe
                                              5⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4156
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                                            4⤵
                                              PID:1616
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /f /im HTTPDebuggerSvc.exe
                                                5⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4972
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
                                              4⤵
                                                PID:3144
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /f /im Ida64.exe
                                                  5⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3472
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
                                                4⤵
                                                  PID:1440
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /f /im OllyDbg.exe
                                                    5⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1984
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
                                                  4⤵
                                                    PID:3064
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f /im Dbg64.exe
                                                      5⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3996
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
                                                    4⤵
                                                      PID:3696
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /f /im Dbg32.exe
                                                        5⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3668
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c cls
                                                      4⤵
                                                        PID:4860
                                                    • C:\ProgramData\SecurityHealthSystray.exe
                                                      "C:\ProgramData\SecurityHealthSystray.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2556
                                                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                                                    "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4520

                                                Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\ProgramData\SecurityHealthSystray.exe

                                                        Filesize

                                                        112KB

                                                        MD5

                                                        08cc682417292fe4a048e5e466b13a1b

                                                        SHA1

                                                        bd2feb697b639327de8eb67e6ac4957df8f3b7b3

                                                        SHA256

                                                        38182c14bb826f357f1348df2affc840df3173054347b4883b0e3ae18402448c

                                                        SHA512

                                                        f5c5c49e9d652bdc3d89912880c2eefa80cce28fc3ecb7e3bb267969bd6dc79a5c8e218c307c869df2e63c50bb97a37813e47c6a87170c83a1bae4f9bf538267

                                                      • C:\ProgramData\UNBANSEVER.exe

                                                        Filesize

                                                        548KB

                                                        MD5

                                                        6c08ba3b33673a7979167a6138a42544

                                                        SHA1

                                                        a065fa0d2d8d1d82dbb6cd1e1b3c8be2a09c74d1

                                                        SHA256

                                                        bed8d059ed403a6ff674aee820d5b3b0df4e072d1e86d09af8b55703abe31038

                                                        SHA512

                                                        69ea45439d6a965758fe8e8bbe05f6d247231e72d98e7396a77f6958636b968eb43742dcc4a1be4a9f05e67a0b2c526c16e27b7e7c64ce8fafed7531d180c03e

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UNBANSEVER.exe.log

                                                        Filesize

                                                        654B

                                                        MD5

                                                        11c6e74f0561678d2cf7fc075a6cc00c

                                                        SHA1

                                                        535ee79ba978554abcb98c566235805e7ea18490

                                                        SHA256

                                                        d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

                                                        SHA512

                                                        32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

                                                      • C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe

                                                        Filesize

                                                        675KB

                                                        MD5

                                                        ed22ee40a790a5153cd085e9dbd7391f

                                                        SHA1

                                                        f4e4d5723b2402c9a1c972b2c40ce2311d10171e

                                                        SHA256

                                                        a4504aa12e11ba425fca91830b3bed4834dd44109a01d5ff8c75e110a482fcc5

                                                        SHA512

                                                        5cb1b65f1c7861f89f09fb35b0a3ce189f4ded76c952b60f4a5fdb7f6abca3268fa768a6576ff9f09d106e6ed0ba4391ddd9aabc684b7e3101f0fd64cdbcd5a3

                                                      • C:\Users\Admin\AppData\Roaming\svchost.exe

                                                        Filesize

                                                        70KB

                                                        MD5

                                                        ae702d156a2ee10aa0df4e5a365654a1

                                                        SHA1

                                                        bad92787d53da53bda2f180f770752e679ba80c0

                                                        SHA256

                                                        07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

                                                        SHA512

                                                        3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

                                                      • memory/1296-0-0x00007FF807763000-0x00007FF807765000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/1296-1-0x0000000000EA0000-0x0000000000F64000-memory.dmp

                                                        Filesize

                                                        784KB

                                                      • memory/1616-34-0x00007FF807760000-0x00007FF808222000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/1616-32-0x0000000000E20000-0x0000000000ED0000-memory.dmp

                                                        Filesize

                                                        704KB

                                                      • memory/1616-61-0x00007FF807760000-0x00007FF808222000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/2556-60-0x00000000008A0000-0x00000000008C2000-memory.dmp

                                                        Filesize

                                                        136KB

                                                      • memory/4520-30-0x0000000000F70000-0x0000000000F88000-memory.dmp

                                                        Filesize

                                                        96KB

                                                      • memory/4520-56-0x00007FF807760000-0x00007FF808222000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/4520-63-0x00007FF807760000-0x00007FF808222000-memory.dmp

                                                        Filesize

                                                        10.8MB