General
-
Target
EZChanger.exe
-
Size
427KB
-
Sample
240511-jr7rjshf58
-
MD5
b54849e4f68488b99339341a80d6b02a
-
SHA1
73ae2db4a12abb7a68ad410f31a878eb2a87a2fb
-
SHA256
8c42fe788c73dfe7843feb5e6ec639a9f0cdfc1a4dc3e6536242f23636c870b9
-
SHA512
de7bd9e4682b62d46c5ef95a204d880c55000674075b5d55ce631874af590ade052548d933742f364b6abcb10726e3ade53bd3d1b1234bec9559531c5a0e1602
-
SSDEEP
6144:XT1+bqO3XnmtWrnngnnnKnanlywwwBwwA5wwwwswww+wwwGwwwbwwwLwwwwwwwwg:DFO3WtWrnngnnnKnanxNY
Behavioral task
behavioral1
Sample
EZChanger.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:37915
5.39.43.50:37915
de-engines.gl.at.ply.gg:37915
these-accommodation.gl.at.ply.gg:37915
-
Install_directory
%AppData%
-
install_file
dllhost.exe
Targets
-
-
Target
EZChanger.exe
-
Size
427KB
-
MD5
b54849e4f68488b99339341a80d6b02a
-
SHA1
73ae2db4a12abb7a68ad410f31a878eb2a87a2fb
-
SHA256
8c42fe788c73dfe7843feb5e6ec639a9f0cdfc1a4dc3e6536242f23636c870b9
-
SHA512
de7bd9e4682b62d46c5ef95a204d880c55000674075b5d55ce631874af590ade052548d933742f364b6abcb10726e3ade53bd3d1b1234bec9559531c5a0e1602
-
SSDEEP
6144:XT1+bqO3XnmtWrnngnnnKnanlywwwBwwA5wwwwswww+wwwGwwwbwwwLwwwwwwwwg:DFO3WtWrnngnnnKnanxNY
-
Class file contains resources related to AdWind
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-