Extracted

• • Target

    e.exe

  • Size

    501KB

  • MD5

    851315103d9c8a23701e5866aa809bf7

  • SHA1

    728584af10cceecd2975f6bf7911d74aa69112fc

  • SHA256

    07fcf2d9af558e53ccd2f47c1c008782c14fa00f75ebde1ccdfe8c1b9f45adf8

  • SHA512

    a20ec7d22cbd4135371d88cf92f7f767513406f2b25fe468003930380d6a07be2c8bc3c63c667c2b636edf18be104cc75a33290f2dbdc045c59a21ae51f5402d

  • SSDEEP

    12288:01Vi3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd:7kGTy

  Score

  10^/10

  xwormbootkitdefense_evasiondiscoveryexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1