Extracted

• • Target

    Vson I Temp.rar

  • Size

    16.8MB

  • MD5

    b97fc35921f8b2f60e4ebda757a161fa

  • SHA1

    41825285f8b8dcf3dab275a8427037d62860ac39

  • SHA256

    bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

  • SHA512

    e3393d73672943223583cf00ce837cf785ded421cce4243a757ddb3724487b96d9b4a0294c47a47210826087187974b62824a4269bd2a0e10470f2f755210a4e

  • SSDEEP

    393216:2PEV8LR5nWvyP/QpfAnFKdEfqdnx16XBap4NT8ibU2larSFFTff:aIa5WUopecdnABai8mUu6Sbf

  Score

  10^/10

  xwormmicrosoftdefense_evasiondiscoverypersistencephishingprivilege_escalationrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Downloads MZ/PE file

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detected potential entity reuse from brand MICROSOFT.

    phishingmicrosoft

  • Drops file in System32 directory

  behavioral1