Overview

overview

10

Static

static

1

Zpeyoxgyc.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    32s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zpeyoxgyc.exe

  • Size

    4.4MB

  • MD5

    7359f3a1c9b6374047ac9344100c92e7

  • SHA1

    75abe16601f1e6d545f59e4a032a00fc6cc1f8a0

  • SHA256

    b37907a3276eeefa6ec2b4a9a40b51b212bec519250c9fbe45f30cb7070280de

  • SHA512

    03f574541d5c92ffe2275aa03c490ec2845055b7fda67cd6e6475ed850e446f6a346ac68e79fa0f0fa1c4dc402f9a4ebb215e7f2016fbeb640424283cccbbb7e

  • SSDEEP

    24576:gNHkM9QO1ecERY2sQ0yfmJw7aQmm/WV9wuOwzdG/I/cU/UmISA8QyI1anQdMhdrh:c

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

7mmLIbwkAfOoLpqk

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zpeyoxgyc.exe
    "C:\Users\Admin\AppData\Local\Temp\Zpeyoxgyc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\Zpeyoxgyc.exe
      "C:\Users\Admin\AppData\Local\Temp\Zpeyoxgyc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Zpeyoxgyc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zpeyoxgyc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zpeyoxgyc.exe.log
    Filesize

    897B

    MD5

    ae5902f6f08a0ccf65d2b2cf5de35baf

    SHA1

    fed0917857eab4faba95d0e6bc035527a73775fe

    SHA256

    4ca1e95c28fcf10cfb00e6dd1a952d85e4968614b2f455ee915eca088f09f09b

    SHA512

    9aef0ff0f00fefad8897ee8de23999aad33bfb243afb5884286aaf7e32a86386585e4fc35b426397f940b0df4426b49d463ab7dbc64f1e06c9ce319cb6385ee7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4b0175f5b270c19c66bee0fce809b8b9

    SHA1

    24ed681638a8784989b08e82188ff6814cb39c8e

    SHA256

    529d9f230ecbd22db1b4fcd061c6f352b28f45766b34c3185a5476b826a04e42

    SHA512

    b7f35527c682dbec3009975866d4b4bd771fb3c5a3e1457937f06d63ed23f46aa016fd7d2363976fa2012a8a0e0439caa47f69e0ebeeb842de7ed1df26f29251

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvfnc5q4.yxp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/2384-4934-0x00000000074A0000-0x00000000074BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2384-4923-0x00000000065A0000-0x00000000065EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2384-4944-0x0000000007970000-0x0000000007978000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2384-4943-0x0000000007990000-0x00000000079AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2384-4942-0x0000000007880000-0x0000000007895000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2384-4941-0x0000000007870000-0x000000000787E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2384-4940-0x0000000007840000-0x0000000007851000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2384-4939-0x00000000078D0000-0x0000000007966000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2384-4938-0x00000000076A0000-0x00000000076AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2384-4937-0x0000000007630000-0x000000000764A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2384-4936-0x0000000007C80000-0x00000000082FA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2384-4935-0x0000000007520000-0x00000000075C4000-memory.dmp
    Filesize

    656KB

    Download
  • memory/2384-4906-0x0000000002AF0000-0x0000000002B26000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2384-4925-0x000000006FDB0000-0x000000006FDFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2384-4924-0x00000000074E0000-0x0000000007514000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2384-4947-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2384-4922-0x00000000062E0000-0x00000000062FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2384-4921-0x0000000005DD0000-0x0000000006127000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2384-4917-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2384-4909-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2384-4911-0x0000000005C70000-0x0000000005CD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2384-4910-0x0000000005450000-0x0000000005472000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2384-4907-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2384-4908-0x00000000054D0000-0x0000000005AFA000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2800-4969-0x00000000077C0000-0x00000000077CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2800-4902-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2800-4905-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2800-4904-0x0000000005D50000-0x0000000005DEC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2800-4970-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2800-4903-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3308-46-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-38-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-58-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-56-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-4891-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3308-4892-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3308-4893-0x0000000006C50000-0x0000000006CAC000-memory.dmp
    Filesize

    368KB

    Download
  • memory/3308-4894-0x0000000006CB0000-0x0000000006CFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3308-4895-0x0000000006DE0000-0x0000000006E46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3308-4896-0x00000000075C0000-0x0000000007614000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3308-4901-0x0000000074CE0000-0x0000000075491000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3308-62-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-64-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-66-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-68-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-5-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-20-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-6-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-8-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-10-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-12-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-18-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-22-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-60-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-40-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3308-24-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-26-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-28-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-30-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-32-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-34-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-36-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-42-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-44-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-50-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-52-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-54-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-48-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-16-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-14-0x0000000006800000-0x0000000006A1B000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3308-4-0x0000000006AC0000-0x0000000006B52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3308-1-0x0000000000700000-0x0000000000B70000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/3308-3-0x0000000006FD0000-0x0000000007576000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3308-2-0x0000000006800000-0x0000000006A22000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/4848-4959-0x000000006FDB0000-0x000000006FDFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4848-4957-0x0000000005870000-0x0000000005BC7000-memory.dmp
    Filesize

    3.3MB

    Download