File name:

Sensor Data Service.exe

Full analysis: https://app.any.run/tasks/6c1ab283-1d49-4ba2-89bd-2d7081c2168f
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 19, 2024, 08:46:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
xworm
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

FB6B300B672010C8E0AE72FABFB6150F

SHA1:

BDCD6BC7532E9EC2593E284B04BC8BEDB4CCAF8E

SHA256:

1B41F7DC8AC2A10B5751E8319FE8169B1835B708D6AE1A4208C6FB67D94916B5

SSDEEP:

768:VD6WNX6KwgZ/9VJp8XIbpF5PM9eTt6BOfh93qO:VOIKK/LJqcFS9qt6BOfbX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Sensor Data Service.exe (PID: 3672)

    • Changes the autorun value in the registry

      • Sensor Data Service.exe (PID: 3672)

    • Drops the executable file immediately after the start

      • Sensor Data Service.exe (PID: 3672)

    • XWORM has been detected (YARA)

      • Sensor Data Service.exe (PID: 3672)

    • XWORM has been detected (SURICATA)

      • Sensor Data Service.exe (PID: 3672)

    • Connects to the CnC server

      • Sensor Data Service.exe (PID: 3672)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Sensor Data Service.exe (PID: 3672)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Sensor Data Service.exe (PID: 3672)

    • Reads settings of System Certificates

      • Sensor Data Service.exe (PID: 3672)

    • Executable content was dropped or overwritten

      • Sensor Data Service.exe (PID: 3672)

    • Reads the Internet Settings

      • Sensor Data Service.exe (PID: 3672)

    • Checks for external IP

      • Sensor Data Service.exe (PID: 3672)

    • Reads security settings of Internet Explorer

      • Sensor Data Service.exe (PID: 3672)

    • Starts a Microsoft application from unusual location

      • Sensor Data Service.exe (PID: 3672)

    • Connects to unusual port

      • Sensor Data Service.exe (PID: 3672)

  • INFO

    • Checks supported languages

      • Sensor Data Service.exe (PID: 3672)

    • Reads the computer name

      • Sensor Data Service.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • Sensor Data Service.exe (PID: 3672)

    • Reads Environment values

      • Sensor Data Service.exe (PID: 3672)

    • Creates files in the program directory

      • Sensor Data Service.exe (PID: 3672)

    • Creates files or folders in the user directory

      • Sensor Data Service.exe (PID: 3672)

    • Reads the software policy settings

      • Sensor Data Service.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3672) Sensor Data Service.exe
C2https://pastebin.com/raw/cc2XUtcH:<18391751917242901>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeKoda
USB drop nameSetup.exe
MutexolycV13STcbfvzQi
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:19 08:02:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 40960
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xbefe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2.19041.746
ProductVersionNumber: 6.2.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Sensor Data Service
FileVersion: 6.2.19041.746
InternalName: XRat.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: XRat.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.2.19041.746
AssemblyVersion: 6.2.19041.746
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM sensor data service.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Users\admin\Desktop\Sensor Data Service.exe" C:\Users\admin\Desktop\Sensor Data Service.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sensor Data Service
Exit code:
0
Version:
6.2.19041.746
Modules
Images
c:\users\admin\desktop\sensor data service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
XWorm
(PID) Process(3672) Sensor Data Service.exe
C2https://pastebin.com/raw/cc2XUtcH:<18391751917242901>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeKoda
USB drop nameSetup.exe
MutexolycV13STcbfvzQi
3932"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Servic Data Sensor" /tr "C:\ProgramData\Servic Data Sensor.exe"C:\Windows\System32\schtasks.exeSensor Data Service.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
6 022
Read events
5 987
Write events
35
Delete events
0

Modification events

(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3672) Sensor Data Service.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sensor Data Service_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3672Sensor Data Service.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Servic Data Sensor.lnkbinary
MD5:A3CBF7C6D47B8F931E9C091EDDDF19D6
SHA256:A7669D95ACB20F7D4E35A69DA839BEC8EF9DDC50BC64C18423E4E5F5DFC74B68
3672Sensor Data Service.exeC:\ProgramData\Servic Data Sensor.exeexecutable
MD5:FB6B300B672010C8E0AE72FABFB6150F
SHA256:1B41F7DC8AC2A10B5751E8319FE8169B1835B708D6AE1A4208C6FB67D94916B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
4
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3672
Sensor Data Service.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3672
Sensor Data Service.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3672
Sensor Data Service.exe
104.20.67.143:443
pastebin.com
CLOUDFLARENET
unknown
3672
Sensor Data Service.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
unknown
3672
Sensor Data Service.exe
54.183.107.205:18607
0.tcp.us-cal-1.ngrok.io
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
unknown
pastebin.com
  • 104.20.67.143
  • 104.20.68.143
  • 172.67.34.170
unknown
api.telegram.org
  • 149.154.167.220
unknown
0.tcp.us-cal-1.ngrok.io
  • 54.183.107.205
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Misc activity
ET HUNTING Telegram API Certificate Observed
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sensor Data Service.exe