Extracted

• • Target

    hhhhhh.exe

  • Size

    79KB

  • MD5

    ee2974f54f01e6239325c4a59d2df8cc

  • SHA1

    5dbdf4808e8435479131e02360c6a8ccdb5e555e

  • SHA256

    f4896bd4f3854ceb788300272a21a398edbf3f4ffa9450d74f350b150989db77

  • SHA512

    50e43425395396b98b87d832df1d0b0a0a79e8b27567c78521a0b0ee176552d36c2a390bdb13023010e80db5895043f607eb287462afcc286256f4fbde0d339c

  • SSDEEP

    1536:sT8B6ZGyle6fKKJ36v74byvJrfYaUa63bON2jCehE:sT8B6kyRK4a4byvhQOUGuE

  Score

  10^/10

  xwormevasionpersistenceransomwarerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Disables RegEdit via registry modification

    evasion

  • Modifies Installed Components in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2