Analysis
-
max time kernel
1797s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-uk -
resource tags
-
submitted
21-08-2024 14:16
General
-
Target
EZTEAM.exe
-
Size
4.6MB
-
MD5
631c9f13ed307ab87ea9c913705fdbc5
-
SHA1
33bd6f5e1087f3e2f345387cd576405750a3cbf2
-
SHA256
b0024dd1d6af38b098b2ae0fc79ca693f55e145b01f8e31c29be40089070b0df
-
SHA512
0104a56bfa48603ac2dc2c4bd71ade7b79f3d2fec24ceb0dfaff2edd52c340d3e1eefe47bb64ab4d6b1b89b9b559125120a794e2e4382ff0a3391c04426114e6
-
SSDEEP
98304:I4oWcj2LFBbvcp4CFa6DJjJhF1dPH9BQ/CEckk6:ICzTNC31J1K/1/
Malware Config
Extracted
xworm
executive-platforms.gl.at.ply.gg:53515
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Signatures
-
Detect Umbral payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 34 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\benoyp.exe"C:\Users\Admin\AppData\Local\Temp\benoyp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\benoyp.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\benoyp.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\benoyp.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sqkyly.exe"C:\Users\Admin\AppData\Local\Temp\sqkyly.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\EZTEAM.exe"C:\Users\Admin\EZTEAM.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x2d41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x2d41⤵
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD57d9ecfe610b58440e18d2bffe5167d71
SHA17afeed064042ef5e614228f678a0c595699c3d84
SHA2562c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632
SHA512017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29
-
Filesize
948B
MD5419f27ffc5ba25c04e1770b1448bfb5e
SHA11e63236c9efa419ceb9721da46da67cf503ed343
SHA2567d3f77880695b1b36e325228384820648b66cb7c6ceea2cc7e1529878179f16e
SHA512015e57c05cb0cfa4e463a88f37541c9fa259699eb7e8dbca6debcce8fe3c8b62e2b50815c5acf527f54686460acbe5c2823a58bbdff5c1b9567186620005b764
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD5a741693e3bedb37a2fd9108dda307de0
SHA18e91bc3dc6205b7ea5fb0772f75c727712498bee
SHA2568b76b4abf8b6c8cc9ad4024b6c75c930b3ef82d8e2b41522925cd274f029dc3c
SHA5120f59e51db6d3677d07b902c68e79ee486b1064ff7526c4b18dde82fae87202204ebff4171e85cd88fe4588f1922a9d1be99d678db0f76e61e26578e30d79854f
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
232KB
MD57012fcfea8e3209d2df4ededfb4f054f
SHA1e6a56f17ef923403eb58640a5ba20f38ab86f7bb
SHA256dbc02fd38b5ee43d90a25ae195dd3068c6335cb59753ea9b9c4fed784e68d2c1
SHA5122e404c87d3fa61266f03f01f8d8337029363ed6fef5931f010a794b59f8bf89575da5626e86e2a9615f5fd3d8b829f678e57e6895b4f52c44d665177b3a68898
-
Filesize
10.0MB
MD5be9b8e7c29977c01f3122f1e5082f45d
SHA1c53a253ac33ab33e94f3ad5e5200645b6391b779
SHA256cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae
SHA51291514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34
-
Filesize
4.5MB
MD5b826cc5df747e44487a66c817b489a44
SHA1d83fa81746187e6d38f3f573f054993a76db7390
SHA25679f9f7d5ce69d7b251ee044e12d3cb96e060e71c661561289c760f12802bc729
SHA512a79f0ed0158ad1f6402b66d83885e1c31ea4bf6149c1d86a20e30070e359525993a8eee7c6402cedeaa448e5d1d708ee5718974e444529c184b56b1759e8475b
-
Filesize
77KB
MD5240ac3d24197bc90f385af9c0dc37813
SHA1bfd68cf093c4c30c0873e0c4132c0d75c8497a8e
SHA256bd6436f6e215509d8872236f7d98a5c55e5c04ce3ff0b0f09d431e33cef235f0
SHA51242fcad036b1ade8abd6ef58bef28be978ebc791cfa1092c3e5799b25f334642d67cf2769c49784af6574a9e97d088945e4edc042ec20118e6d36c7a84df76e4c
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
8KB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
10.0MB
-
Filesize
48KB
-
Filesize
104KB
-
Filesize
2.0MB
-
Filesize
568KB
-
Filesize
2.0MB
-
Filesize
568KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
256KB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
136KB