Extracted

• • Target

    menu.exe

  • Size

    312KB

  • MD5

    a29581b945ec3726a3b8bafabb09a11c

  • SHA1

    070bd72b18866d3e4c92e567a4ab77f63e05dcec

  • SHA256

    c77cfe0ed48c4b4fb13d843052b4e0a97d15bc98b37c0c440060b0b7de773b9a

  • SHA512

    d651d03019ba69c93ba38e41334fdf9782926b8d2d92e19c81f58e51943a1213cac80ef68c0ab9bb1cb0ec7d45c2622f41b8c403bc90dd72930a5f74cd1827c6

  • SSDEEP

    6144:U580X77xbMFjAVMEKxYS0I4NzCtakMiiCLk7bEhVtXUtze5DhW:OXndMFjAVMbV0IKzCt93eEhrEQXW

  Score

  10^/10

  evasionexecutionxwormdiscoverypersistencerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Disables cmd.exe use via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2