File name:	PrismRelease.rar
Full analysis:	https://app.any.run/tasks/4814b473-d7b5-403d-9ce5-bd9c2bcb2ece
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	June 15, 2024, 18:57:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion python remote xworm miner
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	2457EB120E8FBEF34C97CEF775362CC9
SHA1:	547D2A58C06FEBE45BA1F0DEABDF68B759F40029
SHA256:	1F4FBB86E1E513B8BED2FA7A011D094E9F4DBB213E7AE8C34693C6F5343442C3
SSDEEP:	98304:rmaVnBH+BeIfSatKA2SGgEZ5vb+uNReXyn5VNj0HqzVYOQe5yMGaMZysAHp6YU0p:WEYEruy

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\PrismRelease.rar
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(6296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
6972	Prism Release V1.5.exe	C:\Users\admin\dllhost.exe		executable
		MD5:4A7F75343AAA5A4D8D18ADD50CCF3139	SHA256:34BE6A934FD45752E788F9BA20943C8E52D91732D76E9F30A5176E98DCCD956E
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\bin\autoattach.dll		binary
		MD5:BCC0B07DE0A24F9701FC97D154ECD660	SHA256:672CB16128DEA50E21FD2D98889E2D6A2264B654304A3F4248EBDF4C546F734A
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\ByfronHook.dll		binary
		MD5:4E3E92823CAEAC1203BEAA5A35D6DAFC	SHA256:3811858DA4B1F5E7F40D1237D7189DDCA3989FA0D7B07E87C538F92975B893D2
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\license.txt		text
		MD5:0B09566254B011D989DECF0E23A902EB	SHA256:A19D58AAAB15C4D0019E569D1C073D1B5286FDD37DBEEE7A58A7D1AE76045AE1
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\instructions.txt		text
		MD5:8A23BCAC9550C179F65025E505B4EA64	SHA256:1795B27A75858A67A0C93BCE21B77D6FD89213079CE4BB8AA09B1CCA99BE5619
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\workspace\Saved Scripts.txt		text
		MD5:9AAB6209B47A96431718754D4BAC5BEA	SHA256:D2D792F0D9BDB064F665174877454EA83F32AA0A571D223C062FB2107352481B
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\Prism Release V1.5.exe		executable
		MD5:AC80F970A7AE1C07663ABDD11D752D34	SHA256:B61CA7C42FEF43547C7892C76A925EC4A846373BFCDE20426C913A4390F71001
6164	Prism Executor.exe	C:\Users\admin\AppData\Local\Temp\onefile_6164_133629515149199413\nexusloader.exe		executable
		MD5:58545DC488990AC11872079D119F8284	SHA256:6669BD79928492AB626C6CC64DE35E3DA76D655BBD197B5CC644584014FEA5BC
6164	Prism Executor.exe	C:\Users\admin\AppData\Local\Temp\onefile_6164_133629515149199413\select.pyd		executable
		MD5:78D421A4E6B06B5561C45B9A5C6F86B1	SHA256:F1694CE82DA997FAA89A9D22D469BFC94ABB0F2063A69EC9B953BC085C2CB823
6784	WinRAR.exe	C:\Users\admin\Desktop\PrismRelease\Prism Release\assets.dll		binary
		MD5:BCC0B07DE0A24F9701FC97D154ECD660	SHA256:672CB16128DEA50E21FD2D98889E2D6A2264B654304A3F4248EBDF4C546F734A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2392	svchost.exe	GET	200	23.36.69.232:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
2392	svchost.exe	GET	200	2.19.122.202:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	2.19.122.202:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
3708	RUXIMICS.exe	GET	200	2.19.122.202:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
3708	RUXIMICS.exe	GET	200	23.36.69.232:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.36.69.232:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
7132	dllhost.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	unknown
—	—	GET	200	2.19.120.21:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	—
—	—	GET	200	2.19.120.32:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	s	21.3 Kb	—
—	—	POST	200	20.44.10.122:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
2392	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3708	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2392	svchost.exe	2.19.122.202:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	2.19.122.202:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
3708	RUXIMICS.exe	2.19.122.202:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2392	svchost.exe	23.36.69.232:80	www.microsoft.com	AKAMAI-AS	US	unknown
3708	RUXIMICS.exe	23.36.69.232:80	www.microsoft.com	AKAMAI-AS	US	unknown
5140	MoUsoCoreWorker.exe	23.36.69.232:80	www.microsoft.com	AKAMAI-AS	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
crl.microsoft.com	2.19.122.202 2.19.122.206	whitelisted
www.microsoft.com	23.36.69.232	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
ip-api.com	208.95.112.1	shared
www.bing.com	2.19.120.32 2.19.120.21	whitelisted
pool.hashvault.pro	95.179.241.203 45.76.89.70	unknown
self.events.data.microsoft.com	20.189.173.14	whitelisted

PID	Process	Class	Message
7132	dllhost.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
7132	dllhost.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
7132	dllhost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
2184	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

General Info

PrismRelease.rar

2457EB120E8FBEF34C97CEF775362CC9

547D2A58C06FEBE45BA1F0DEABDF68B759F40029

1F4FBB86E1E513B8BED2FA7A011D094E9F4DBB213E7AE8C34693C6F5343442C3

98304:rmaVnBH+BeIfSatKA2SGgEZ5vb+uNReXyn5VNj0HqzVYOQe5yMGaMZysAHp6YU0p:WEYEruy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Adds path to the Windows Defender exclusion list

Bypass execution policy to execute commands

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

Changes powershell execution policy (Bypass)

Adds process to the Windows Defender exclusion list

XWORM has been detected (SURICATA)

Connects to the CnC server

XWORM has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Process drops legitimate windows executable

The process creates files with name similar to system file names

Process drops python dynamic module

The process drops C-runtime libraries

Script adds exclusion path to Windows Defender

Script adds exclusion process to Windows Defender

Checks for external IP

Loads Python modules

Connects to unusual port

Contacting a server suspected of hosting an CnC

Uses powercfg.exe to modify the power settings

Starts SC.EXE for service management

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Starts CMD.EXE for commands execution

INFO

Drops the executable file immediately after the start

Reads the computer name

Checks supported languages

Process checks computer location settings

Manual execution by a user

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Checks proxy server information

Create files in a temporary directory

Script raised an exception (POWERSHELL)

Creates files in the program directory

Creates files or folders in the user directory

Checks operating system version

Malware configuration

XWorm

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules