Extracted

• • Target

    1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc

  • Size

    5.8MB

  • MD5

    6192ed4726e46be98934d1e4ebebb7e3

  • SHA1

    df8badbe186b9ca3cd88bc4014a3a4aac8ac1736

  • SHA256

    1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc

  • SHA512

    b7a8f9cc0d3f214272e3b51bc02f14db11d5c2c1bb0177c31a8dca7fd1f1fa1e08aa6ec6c9b9de652455fc5fbe3abb939d0c591cece2e075adbe963fb6ca0969

  • SSDEEP

    98304:0wREfWuXTo8ToIebV6oHFE9xI6ohWhPSwVrGiGfm8EOuq2NmF:MfWW8uGY9xVoY9zELHPuqimF

  Score

  10^/10

  discoverypersistencexwormevasionexecutionrattrojan

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2