xworm | de902abc6d81684c8557e690ed47ed6d659e0daeda26c7d75e764c8da77771a9

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnamBinder.exe
Size

9.6MB
MD5

18c98c616674081b1910103b30ff697a
SHA1

37daea3f1cba0fe605996a3f456897a7bcf7dcdf
SHA256

de902abc6d81684c8557e690ed47ed6d659e0daeda26c7d75e764c8da77771a9
SHA512

3f8a88eb1c0c7cebd0b3a8ff9031a3e13601c15852ce15e35ca732e317a33dd0007988e23b4b884d4d8729e32c88b20c1620183c201d4952024df7a5757a2f03
SSDEEP

196608:uvMovhPSQPJqfRDzlYXi6mB57iy5nVug3MthWK:aJPSPlD6mviy5oh

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

look-omega.gl.at.ply.gg:27099

Attributes

Install_directory
%AppData%
install_file
Update.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000133b8-2.dat	family_xworm
behavioral1/memory/2840-14-0x00000000003F0000-0x000000000042A000-memory.dmp	family_xworm
behavioral1/memory/1392-47-0x00000000012D0000-0x000000000130A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
1624	powershell.exe
700	powershell.exe
1440	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
2840	msedge.exe
2752	UnamBinder.exe
1392	Update.exe
892	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	UnamBinder.exe
2848	UnamBinder.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnamBinder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1092	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2840	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2792	powershell.exe
1624	powershell.exe
700	powershell.exe
1440	powershell.exe
2992	powershell.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2840	msedge.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2840	msedge.exe
Token: SeDebugPrivilege	1392	Update.exe
Token: SeDebugPrivilege	892	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	msedge.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2792	2848	UnamBinder.exe	30
PID 2848 wrote to memory of 2792	2848	UnamBinder.exe	30
PID 2848 wrote to memory of 2792	2848	UnamBinder.exe	30
PID 2848 wrote to memory of 2792	2848	UnamBinder.exe	30
PID 2848 wrote to memory of 2840	2848	UnamBinder.exe	32
PID 2848 wrote to memory of 2840	2848	UnamBinder.exe	32
PID 2848 wrote to memory of 2840	2848	UnamBinder.exe	32
PID 2848 wrote to memory of 2840	2848	UnamBinder.exe	32
PID 2848 wrote to memory of 2752	2848	UnamBinder.exe	33
PID 2848 wrote to memory of 2752	2848	UnamBinder.exe	33
PID 2848 wrote to memory of 2752	2848	UnamBinder.exe	33
PID 2848 wrote to memory of 2752	2848	UnamBinder.exe	33
PID 2840 wrote to memory of 1624	2840	msedge.exe	35
PID 2840 wrote to memory of 1624	2840	msedge.exe	35
PID 2840 wrote to memory of 1624	2840	msedge.exe	35
PID 2840 wrote to memory of 700	2840	msedge.exe	37
PID 2840 wrote to memory of 700	2840	msedge.exe	37
PID 2840 wrote to memory of 700	2840	msedge.exe	37
PID 2840 wrote to memory of 1440	2840	msedge.exe	39
PID 2840 wrote to memory of 1440	2840	msedge.exe	39
PID 2840 wrote to memory of 1440	2840	msedge.exe	39
PID 2840 wrote to memory of 2992	2840	msedge.exe	41
PID 2840 wrote to memory of 2992	2840	msedge.exe	41
PID 2840 wrote to memory of 2992	2840	msedge.exe	41
PID 2840 wrote to memory of 1092	2840	msedge.exe	43
PID 2840 wrote to memory of 1092	2840	msedge.exe	43
PID 2840 wrote to memory of 1092	2840	msedge.exe	43
PID 1952 wrote to memory of 1392	1952	taskeng.exe	46
PID 1952 wrote to memory of 1392	1952	taskeng.exe	46
PID 1952 wrote to memory of 1392	1952	taskeng.exe	46
PID 1952 wrote to memory of 892	1952	taskeng.exe	47
PID 1952 wrote to memory of 892	1952	taskeng.exe	47
PID 1952 wrote to memory of 892	1952	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe
"C:\Users\Admin\AppData\Local\Temp\UnamBinder.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAeQBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcgByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAeABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAeQBxACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1092
- C:\Users\Admin\AppData\Roaming\UnamBinder.exe
  "C:\Users\Admin\AppData\Roaming\UnamBinder.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

C:\Windows\system32\taskeng.exe
taskeng.exe {2E646970-A106-4385-BC99-C91C5C7C895F} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\Update.exe
  C:\Users\Admin\AppData\Roaming\Update.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Users\Admin\AppData\Roaming\Update.exe
  C:\Users\Admin\AppData\Roaming\Update.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z17N5YNLJJCAOS0GLRDW.temp

Filesize
7KB

MD5
b5d2b46d3dcdbadd48a5143b6324cb54

SHA1
7383e31132cc31f2bd856ac2ec658320c0931b59

SHA256
d4ed481e4b5963347a2bb305e5641073ea7c27337c2c3cb94d2df035b983263b

SHA512
86710c68248c9c2805a27cee4f86613f4ef637cab4404b2a3946f35eacaed63ba919293a9b60989db9eb16254f25186a92a8d35752ae254731be2c0d83bb0cec

Download Submit
C:\Users\Admin\AppData\Roaming\UnamBinder.exe

Filesize
9.4MB

MD5
70565dbd654937df2eaefc7c79941169

SHA1
5cb8daf1185704a9772f07dcec2e499149517715

SHA256
a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

SHA512
64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c

Download Submit
\Users\Admin\AppData\Roaming\msedge.exe

Filesize
214KB

MD5
d5b6b9cba9f1e67279ea7228c877e810

SHA1
ff83715f79bbd56aa66febec8cb139747a68fd7a

SHA256
99708b3398d0f77eb30f3113ee144bfa4a6efbc68fdf66b751d6928d0cf61ddd

SHA512
6bb127873d3004bf852953c9df2a38913cfaf1d2ff15b6d567881efade947e59f7d23aef1a0a9ec1730608cd2fba19bc3b8b6d6788d9a65f2f820a2869baafe4

Download Submit
memory/700-27-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/700-28-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1392-47-0x00000000012D0000-0x000000000130A000-memory.dmp

Filesize
232KB

Download
memory/1624-20-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1624-21-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2752-15-0x00000000000F0000-0x0000000000A52000-memory.dmp

Filesize
9.4MB

Download
memory/2840-14-0x00000000003F0000-0x000000000042A000-memory.dmp

Filesize
232KB

Download
memory/2840-43-0x000000001ABF0000-0x000000001ABFC000-memory.dmp

Filesize
48KB

Download