Extracted

• • Target

    z2PO20240815.pdf.lnk

  • Size

    3KB

  • MD5

    c4faf5e376bc049a2e22dca8f31e0382

  • SHA1

    5a4b2a74e6c948e603e71df075cdb84e37a9798c

  • SHA256

    c1ac6640bb74438f7a6c430ab4c701f7daf2117b87522f9bb4b8da6fdca1b375

  • SHA512

    ba9bec097690386b7201f78924e11e15d49de103fcd653fd96ec3eafb82a9e8ef0bb246a5b58d57a81d71ab9a30bff8cef5d7afbe703c01016b67a7bcbd98b1e

  Score

  10^/10

  xwormdiscoveryexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2