Extracted

• • Target

    node-v22.11.0-x64.msi

  • Size

    28.9MB

  • MD5

    fa9e1f3064a66913362e9bff7097cef5

  • SHA1

    b34f1f9a9f6242c54486a4bc453a9336840b4425

  • SHA256

    9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

  • SHA512

    ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

  • SSDEEP

    786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

  Score

  10^/10

  xwormdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Hide Artifacts: Hidden Window

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory

  behavioral1