Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

EzLauncherV2.exe

windows7-x64

10

EzLauncherV2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzLauncherV2.exe

  • Size

    14.5MB

  • MD5

    78bd6d7f86dd54b70cd0b4fcef31a0c2

  • SHA1

    f1a2f8f9aeb0b2805a35f8507953a92c66e5ff60

  • SHA256

    5dee1f6c0d4cae977831434dad086bf2b5c7e779056d93c155ba00fd612c92c0

  • SHA512

    233bbda1972cb69308131ebea4dbbc68f3cc5780f05a41ebf35240e7fa5f7f70a1fb2118c780c9a44182306b25d4122aa6ecfa52da3fe42d4492cd530aae062b

  • SSDEEP

    196608:FlROav3q3KRZu80eHnGa6d805XW+tW3EL+Er3j7tJHiVbPbNZ5rscmkkBS6sudN7:F9v3qlReHnqPVW6W0L+UpIVnNgcbuB0O

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8848

testing-token.gl.at.ply.gg:8848
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EzLauncherV2.exe
    "C:\Users\Admin\AppData\Local\Temp\EzLauncherV2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\EZlauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\EZlauncher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Users\Admin\AppData\Local\Temp\EZLauncher(V2).exe
      "C:\Users\Admin\AppData\Local\Temp\EZLauncher(V2).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EZLauncher(V2).exe
    Filesize

    14.4MB

    MD5

    28a805c5a9f48d582c3d9c23ce22c6b8

    SHA1

    289ac4e0af3a0555046f31df163ccc5f43e8329c

    SHA256

    bb9c1a4fdb10cb63d4d4ab09298d2b0f42d47b577e4143a06223678172f7ce10

    SHA512

    505a945037baf25e48a5dd97983a66f30210e301b50e25929784094048783a218f49ca9ed9aea27cafa20a5cf96a3f8d6950331fd4fa288ba7d3b339434536e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EZlauncher.exe
    Filesize

    138KB

    MD5

    4ad1e2594e49d285e19a748ebc6585ea

    SHA1

    e737bb26c69e77872aae573ed5bcc9b907bc6018

    SHA256

    2cecb867064713031ec85c259a7f9ac7e0cc079b377f286e1e2adc18ac68c443

    SHA512

    41ef86ebad19031d85c742a27a42aa287f9c3ef3c353f76c8a7403debdd630cf8c5e73f0f636e7317bb81dc86fba7ebe079737720bf3673b0eb26da93228cacc

    Download Submit

  • memory/3400-22-0x00007FF9475D0000-0x00007FF9475D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3400-23-0x0000000140000000-0x0000000141C64000-memory.dmp

    Filesize

    28.4MB

    Download

  • memory/4320-20-0x0000000000400000-0x000000000128A000-memory.dmp

    Filesize

    14.5MB

    Download

  • memory/4440-11-0x00007FF928FD3000-0x00007FF928FD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4440-13-0x00000000007F0000-0x0000000000818000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4440-27-0x00007FF928FD0000-0x00007FF929A91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4440-28-0x00007FF928FD0000-0x00007FF929A91000-memory.dmp

    Filesize

    10.8MB

    Download