Extracted

• • Target

    ApplicationFramHost.exe

  • Size

    77KB

  • MD5

    67c7fe1635180abaa9c88940d61bb20a

  • SHA1

    addc53c2291b8a3d17b3668600b8257fef496989

  • SHA256

    621278f6f2d263419d69187282d006e8f81afd73bdd75a39880d01d37bf0bbaf

  • SHA512

    9b19f62ea458345a5d2d7ebb4d22a413996b502619466b1d3eaed0f92b35af91650cddd9ffdb397f8ed4558a09c44ce424d344c1f4102543934b651d103c40fc

  • SSDEEP

    1536:u58tFnhxOx9v5vEv9t0bz9H2dhE6XDBO8YxHMQuhWy+R:i8tVh+vNEv9+bzmOvxHMLwbR

  Score

  10^/10

  xwormdiscoveryexecutionpersistenceprivilege_escalationrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2