Extracted

• • Target

    SS.exe

  • Size

    196KB

  • MD5

    da28b9c91a36389d8071ad53ef5a8a0a

  • SHA1

    bc5d3d131de68dec004b4ecc8e6fe55f84754380

  • SHA256

    e80d33b5e40b4070b22906912cb807418cc96ed6ba5c1f9416ca285d5c06ba20

  • SHA512

    5f1122ebe85d3c83f1e19549a8ed62fd690281234fed8f0dd8bb4898fefe34788ffc5ddb40abbe99610e78f65c9e083af214d47e0a2419cc680a6584d714c130

  • SSDEEP

    3072:CO2MN1EALtYwx4XqLqejJ3uW4biLseLQGfFJgcmodkUkJxn77v2iPY:CIN1EAr4SeBid/eedW/vz

  Score

  10^/10

  xwormevasionrattrojandiscoveryexecutionpersistence

  • Detect Xworm Payload

  • Modifies security service

    evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2