Extracted

• • Target

    XClient.exe

  • Size

    80KB

  • MD5

    ae2f652e52dc8b5798606b3b1dfdca26

  • SHA1

    814e6fddaa6f41708f3927261282dcd550bb36bc

  • SHA256

    29af9b630c90fb4fbf0ae8c1ab72bb517ad0eea22609fe6cf0e5750cdf7cae31

  • SHA512

    826142b3ca1363002f975268764b126bbc50a83e49cafa1d1a36097f37764de1672b093a9d5d54466039ce84979a449eb91cdc25394eddb8138f38e745616ac5

  • SSDEEP

    1536:ZIRskJ7epm+t258i12bAX9Uz9Y6ITtOFGWPSvKOG:uxU5AhIbAdtOVqpG

  Score

  10^/10

  xwormevasionpersistenceransomwarerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Modifies Installed Components in the registry

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Allows Network login with blank passwords

    Allows local user accounts with blank passwords to access device from the network.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1