Extracted

• • Target

    RoWare.exe

  • Size

    472KB

  • MD5

    b63bed7f19631126a453b49d603c74a4

  • SHA1

    abd90b6cbda580c135e1b28b89d4f0027f939225

  • SHA256

    2367f924d3eeb65eac13f2fef2c92ae901605323ae0e3c91b24a8c0717c1829a

  • SHA512

    29aa82c4c201512b4ebacc3ea1725bdb8207fe56ae68c7b7620da9b619b8cf1801fa5488f47863d46c056066eb559a3c0c887c46fd816890c9e9d4a2a32f192d

  • SSDEEP

    12288:Qy90sdnp4C4BytE9WlGKfmQgNsP/N6aSg5U2D:Qy1dpF44osGKfmQEwOg5h

  Score

  10^/10

  xwormdefense_evasionexecutionpersistenceprivilege_escalationrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  behavioral1behavioral2