Overview

overview

10

Static

static

3

ez.exe

windows7-x64

ez.exe

windows10-2004-x64

Analysis

  • max time kernel
    254s
  • max time network
    256s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-01-2025 18:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ez.exe

  • Size

    46.0MB

  • MD5

    c09e00509d7efa941fd97f50ee999feb

  • SHA1

    117361c0c4d9aee118c7cfa4b44af9c561f2d2f9

  • SHA256

    1c4c8d4b80aadd685bf7344b326116a30265c0c1ca7cbaf40f3719b825a2740a

  • SHA512

    3a4e50e44deb484d296579d5d40e9379cef1a4f62869dd2a753244849019c77837defc4bf3349b68b5f9b61b30ea29f4d5f7d087c0d1b321e06e5d93beb69ca1

  • SSDEEP

    393216:9YXEXR3uzMK0GWSFqlV3lYWmnHGm8mtGDfdJlU8Jq8tA9KxFxCfV:9YXEXhuzMmF26WmnHGrO1

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ez.exe
    "C:\Users\Admin\AppData\Local\Temp\ez.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ez.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ez.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2820
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2524
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C1F99B1D-B200-49CA-B3C7-CB68BF73BC7B} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
    • C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2652
      • C:\Windows\system32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1572
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        e6f4672093e96d079d6ef4c961fcdfa2

        SHA1

        f7e64204c793c22db350c536be956aaea27eb8b8

        SHA256

        6420b4d98fce1fa371e6b87c5f59be17a441d4e8a35e6a5cdfb103beab508e27

        SHA512

        7f93902dcdc0cf4084c74d2a9cd1ecca132076a88f9708f062ce4757a61681b2ba9d7e4347928f25d88868f1902413c0159fd0c6bdcaa0d0dc33ed004645c30a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        1429954b16a12a48b198e369f4e8f86b

        SHA1

        59b9309d0f9702dc9128518ffe9a20991c2a54b1

        SHA256

        a4009bfb805151851a18dfa9c99443300bcbf7bd88d9dd69516cf6c7d7efff39

        SHA512

        f18bb70626e98d189a12fd3149e9b3dd2b44aca1f6eca846d8a2244b292bb1178edcf37f8d12502ebe7d72dff86e86e968ef482993f6c2fbd6eae16e74f7ab42

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk
        Filesize

        740B

        MD5

        0b0c3b4ad1af031e8f4c9df2f5c241c7

        SHA1

        4b1f701fc326c15231628cea8165f120dbd7e468

        SHA256

        9d21923785ea5b507228e42f81b61d1f04b889663189d2bfdf4857706cce658c

        SHA512

        b99f9888525140a80c97bea2c5fa7ca058a2f0a0c2f1289478e79ab533840f809c9cc1a935dee06dc48242c943c76e7cdb112a97d3bc091f710224bc7ddc4ff8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
        Filesize

        46.0MB

        MD5

        c09e00509d7efa941fd97f50ee999feb

        SHA1

        117361c0c4d9aee118c7cfa4b44af9c561f2d2f9

        SHA256

        1c4c8d4b80aadd685bf7344b326116a30265c0c1ca7cbaf40f3719b825a2740a

        SHA512

        3a4e50e44deb484d296579d5d40e9379cef1a4f62869dd2a753244849019c77837defc4bf3349b68b5f9b61b30ea29f4d5f7d087c0d1b321e06e5d93beb69ca1

        Download Submit

      • memory/328-19-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/328-18-0x000000001B7A0000-0x000000001BA82000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/432-42-0x00000000001D0000-0x00000000001EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1316-46-0x0000000001030000-0x000000000104A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1556-40-0x0000000000050000-0x000000000006A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2100-37-0x00000000003E0000-0x00000000003FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2524-6-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2524-5-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2532-12-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2532-11-0x000000001B500000-0x000000001B7E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2756-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-4-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-44-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-3-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-1-0x0000000000F50000-0x0000000000F6A000-memory.dmp

        Filesize

        104KB

        Download