Extracted

Extracted

Extracted

• • Target

    Mnemonicator v1.0.3 (infected).7z

  • Size

    37.5MB

  • MD5

    e18d698e01dbf05dc08822d787e825e5

  • SHA1

    1ea9a22d179d21a280a5de8b5ead6f3bae52c8d2

  • SHA256

    32cf3a092e09e4609675078976e052066c3fe7b42128a89b87b2473a2f51e42f

  • SHA512

    654212ffa8bc6e46b3f8db23a0bfd5574193f18807c63f29f15c0bbfd86714c064fff6f9ca8a2d88c547d48c33f73825d9f95ca2ac2707c8f9278968877106f2

  • SSDEEP

    786432:f68J6Hf9bldLadW0mnN1b2lUJVZh+evb6qylASOL:yddLadgrZQ46qylASg

  Score

  10^/10

  r77xwormdiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratrootkittrojan

  • Detect Xworm Payload

  • R77 family

    r77

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77

  • r77 rootkit payload

    Detects the payload of the r77 rootkit.

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Event Triggered Execution: AppInit DLLs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1