Overview

overview

10

Static

static

3

UnamBinder.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnamBinder.exe

  • Size

    9.6MB

  • MD5

    18c98c616674081b1910103b30ff697a

  • SHA1

    37daea3f1cba0fe605996a3f456897a7bcf7dcdf

  • SHA256

    de902abc6d81684c8557e690ed47ed6d659e0daeda26c7d75e764c8da77771a9

  • SHA512

    3f8a88eb1c0c7cebd0b3a8ff9031a3e13601c15852ce15e35ca732e317a33dd0007988e23b4b884d4d8729e32c88b20c1620183c201d4952024df7a5757a2f03

  • SSDEEP

    196608:uvMovhPSQPJqfRDzlYXi6mB57iy5nVug3MthWK:aJPSPlD6mviy5oh

Score
10/10
xwormdefense_evasiondiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

look-omega.gl.at.ply.gg:27099

Attributes
  • Install_directory

    %AppData%

  • install_file

    Update.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe
    "C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAeQBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcgByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAeABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAeQBxACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3320
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Update"
        3⤵
          PID:1992
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC2D4.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3876
      • C:\Users\Admin\AppData\Roaming\UnamBinder.exe
        "C:\Users\Admin\AppData\Roaming\UnamBinder.exe"
        2⤵
        • Executes dropped EXE
        PID:3924
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2436
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1116
      • C:\Users\Admin\AppData\Roaming\Update.exe
        C:\Users\Admin\AppData\Roaming\Update.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:736
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
          PID:3040
        • C:\Users\Admin\AppData\Roaming\Update.exe
          C:\Users\Admin\AppData\Roaming\Update.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SDRSVC
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2508
        • C:\Users\Admin\AppData\Roaming\Update.exe
          C:\Users\Admin\AppData\Roaming\Update.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4468

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          eb1ad317bd25b55b2bbdce8a28a74a94

          SHA1

          98a3978be4d10d62e7411946474579ee5bdc5ea6

          SHA256

          9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

          SHA512

          d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          104B

          MD5

          df02c786f4508325677d2cd273165961

          SHA1

          01f0f128062afc7cd5614ec2ec76c016a24c74ba

          SHA256

          d8b95ed3b1abd23954c1ee50277297ba881950d52905afa3899d107690cac6b1

          SHA512

          fb253a77775af784eaf36ca3d85be4ef2d06c2273b89c0803156997f52785755219728d1ebf38ce66d1c531b6735893a8ee451942036cb7ff87ab2abae1c9418

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a7cc007980e419d553568a106210549a

          SHA1

          c03099706b75071f36c3962fcc60a22f197711e0

          SHA256

          a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

          SHA512

          b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yahxfrqn.ry2.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpC2D4.tmp.bat
          Filesize

          155B

          MD5

          c32e7379e81078a7f5cb33d9cea4a514

          SHA1

          393dbb120876aba029bff712cc40aa716ab0b514

          SHA256

          7bbd0f94cee7fce7259883c1996fc9e379e3434ac123ae704e6c2da0ba70b25e

          SHA512

          ee65a97169194ac7b37c78bf6ecbadaa32f75dd617d77e9c287b6525b6616ccebfab5323c195ebe97bf2a4e81afac14dc848ef1b9a96e3a62a50b7542184dd7d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk
          Filesize

          766B

          MD5

          244721874c76873d89557df1e02b832c

          SHA1

          7942b00829f322ae47a5c6a8a5471b02773bc110

          SHA256

          a2a73b5548f2421a2ff8625b3af5fdb94419fe36232fff97b559454f1034a1aa

          SHA512

          2d5ef6cead9271513d7f24f77718bba982ba2584ed2734794f43f4c8eda1b85f246258c62f0381d6dc601b91538bb63e887f87fe8a6a8bc08047a73b7db1b17e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\UnamBinder.exe
          Filesize

          9.4MB

          MD5

          70565dbd654937df2eaefc7c79941169

          SHA1

          5cb8daf1185704a9772f07dcec2e499149517715

          SHA256

          a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

          SHA512

          64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\msedge.exe
          Filesize

          214KB

          MD5

          d5b6b9cba9f1e67279ea7228c877e810

          SHA1

          ff83715f79bbd56aa66febec8cb139747a68fd7a

          SHA256

          99708b3398d0f77eb30f3113ee144bfa4a6efbc68fdf66b751d6928d0cf61ddd

          SHA512

          6bb127873d3004bf852953c9df2a38913cfaf1d2ff15b6d567881efade947e59f7d23aef1a0a9ec1730608cd2fba19bc3b8b6d6788d9a65f2f820a2869baafe4

          Download Submit

        • memory/1280-63-0x0000022167570000-0x0000022167592000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2436-129-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-164-0x000001AE8F170000-0x000001AE8F180000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-126-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-127-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-170-0x000001AE91E30000-0x000001AE91E40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-128-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-130-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-131-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-132-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-120-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-121-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2436-122-0x000001AE91520000-0x000001AE91521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2632-30-0x0000000005A50000-0x0000000005AB6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2632-70-0x00000000074B0000-0x00000000074BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2632-31-0x0000000005AC0000-0x0000000005B26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2632-75-0x0000000007640000-0x0000000007651000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2632-29-0x0000000005180000-0x00000000051A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2632-28-0x00000000051F0000-0x0000000005818000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2632-97-0x0000000007680000-0x000000000768E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2632-98-0x0000000007690000-0x00000000076A4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2632-99-0x0000000007770000-0x000000000778A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2632-100-0x00000000076C0000-0x00000000076C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2632-25-0x0000000004B80000-0x0000000004BB6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2632-73-0x00000000076D0000-0x0000000007766000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2632-69-0x0000000007440000-0x000000000745A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2632-68-0x0000000007A90000-0x000000000810A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2632-32-0x0000000005B30000-0x0000000005E84000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2632-57-0x0000000007110000-0x00000000071B3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2632-56-0x00000000066B0000-0x00000000066CE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2632-46-0x0000000075520000-0x000000007556C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2632-27-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2632-45-0x00000000070D0000-0x0000000007102000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2632-43-0x0000000006190000-0x00000000061DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2632-42-0x0000000006100000-0x000000000611E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3228-133-0x000000001BD80000-0x000000001BE82000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3228-137-0x000000001B770000-0x000000001B780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-146-0x000000001B500000-0x000000001B536000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3228-149-0x00000000011B0000-0x00000000011BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3228-15-0x00000000009B0000-0x00000000009EA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/3228-158-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3228-44-0x000000001B770000-0x000000001B780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-183-0x000000001BD80000-0x000000001BE82000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3228-11-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3924-134-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3924-24-0x0000016072E20000-0x0000016073782000-memory.dmp

          Filesize

          9.4MB

          Download

        • memory/3924-26-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

          Filesize

          10.8MB

          Download