File name:

APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe

Full analysis: https://app.any.run/tasks/057dae23-baf4-4359-a050-c209c67db7ad
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 11, 2024, 21:34:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xworm
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4C05ADC3E8C9C33AEF8F16B792611B5A

SHA1:

BA8E0AA92AAECE848FB767F571A4D8F5DFBEB1E3

SHA256:

002B460BB8897B957E0443DBA7A31840440BA9D8EBD7A0F4FABB58109A42FDA8

SSDEEP:

24576:r1gqBDhlQupMQv5tiQTHNY3BD5El1vUDhYebw4TsHYSCbUk1cjFt:rLhlQ6NY3fK4TsUbU/Ft

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe (PID: 2472)
      • vbc.exe (PID: 1432)

    • Create files in the Startup directory

      • vbc.exe (PID: 1432)

    • XWORM has been detected (YARA)

      • vbc.exe (PID: 1432)

    • Unusual connection from system programs

      • vbc.exe (PID: 1432)

    • XWORM has been detected (SURICATA)

      • vbc.exe (PID: 1432)

    • Connects to the CnC server

      • vbc.exe (PID: 1432)

  • SUSPICIOUS

    • The process executes VB scripts

      • APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe (PID: 2472)

    • Process drops legitimate windows executable

      • vbc.exe (PID: 1432)

    • Executable content was dropped or overwritten

      • vbc.exe (PID: 1432)

    • Connects to unusual port

      • vbc.exe (PID: 1432)

  • INFO

    • Checks supported languages

      • vbc.exe (PID: 1432)
      • APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe (PID: 2472)

    • Reads the computer name

      • APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe (PID: 2472)
      • vbc.exe (PID: 1432)

    • Reads the machine GUID from the registry

      • vbc.exe (PID: 1432)

    • Creates files or folders in the user directory

      • vbc.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(1432) vbc.exe
C2fenvijsdfidfisdiodwhfuew.con-ip.com:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameFRIO
MutexQ7vK4o7XeUsEmAUh
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:15 09:48:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 406016
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.28.3.0
ProductVersionNumber: 5.28.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: OneLaunch
FileDescription: OneLaunch Setup
FileVersion: 5.28.3
LegalCopyright: Copyright OneLaunch. All rights reserved.
OriginalFileName:
ProductName: OneLaunch
ProductVersion: 5.28.3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start apertura proceso judicial rad 10000065665655 (1).exe no specs #XWORM vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1432"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
14.8.3761.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
XWorm
(PID) Process(1432) vbc.exe
C2fenvijsdfidfisdiodwhfuew.con-ip.com:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameFRIO
MutexQ7vK4o7XeUsEmAUh
2472"C:\Users\admin\AppData\Local\Temp\APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe" C:\Users\admin\AppData\Local\Temp\APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exeexplorer.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch Setup
Exit code:
0
Version:
5.28.3
Modules
Images
c:\users\admin\appdata\local\temp\apertura proceso judicial rad 10000065665655 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 597
Read events
3 596
Write events
1
Delete events
0

Modification events

(PID) Process:(2472) APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1432vbc.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Temp.lnklnk
MD5:23C6AD68C9FA351F5C69C8ACB859FF42
SHA256:619CC0C64B6535454CBD75B338B9E6517E83A658A3BF386904D253FE7A2E51C4
1432vbc.exeC:\Users\admin\AppData\Roaming\Temp.exeexecutable
MD5:FCCB961AE76D9E600A558D2D0225ED43
SHA256:466876F453563A272ADB5D568670ECA98D805E7ECAA5A2E18C92B6D3C947DF93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
72

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1432
vbc.exe
181.136.226.14:7000
fenvijsdfidfisdiodwhfuew.con-ip.com
EPM Telecomunicaciones S.A. E.S.P.
CO
unknown

DNS requests

Domain
IP
Reputation
fenvijsdfidfisdiodwhfuew.con-ip.com
  • 181.136.226.14
malicious

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
71 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
APERTURA PROCESO JUDICIAL RAD 10000065665655 (1).exe