File name:

usb.exe

Full analysis: https://app.any.run/tasks/b8f5f1bd-5e99-41e2-97e2-004b44af6e3f
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 22, 2024, 14:37:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
xworm
phishing
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D50C403EB2BDD2D371EAF08C2D42E3B8

SHA1:

034888EC05C646751F3A82AF63657CD6DCFCA4C8

SHA256:

33932BA589F1C502ADF8C762213978687BF8EC207D7929406A5711341C6B2801

SSDEEP:

1536:pdEWAG/uIeMBHl9DRDuobKNezeN411nKnSRtnc6ESZTObOD:gM9DR1bKNezekKSfnG6ObOD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • usb.exe (PID: 7092)

    • XWORM has been detected (YARA)

      • usb.exe (PID: 7092)

    • PHISHING has been detected (SURICATA)

      • usb.exe (PID: 7092)

    • XWORM has been detected (SURICATA)

      • usb.exe (PID: 7092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • usb.exe (PID: 7092)

    • Checks for external IP

      • usb.exe (PID: 7092)
      • svchost.exe (PID: 2256)

    • Connects to unusual port

      • usb.exe (PID: 7092)

    • Contacting a server suspected of hosting an CnC

      • usb.exe (PID: 7092)

  • INFO

    • Reads the machine GUID from the registry

      • usb.exe (PID: 7092)

    • Reads the computer name

      • usb.exe (PID: 7092)

    • Disables trace logs

      • usb.exe (PID: 7092)

    • Checks supported languages

      • usb.exe (PID: 7092)

    • Reads Environment values

      • usb.exe (PID: 7092)

    • Checks proxy server information

      • usb.exe (PID: 7092)

    • Creates files or folders in the user directory

      • usb.exe (PID: 7092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(7092) usb.exe
C2august-birth.gl.at.ply.gg:55963
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time2
USB drop nameUSB.exe
Mutexo088IEmlALlc362F
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:22 10:46:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 67072
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x1253e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: usb.exe
LegalCopyright:
OriginalFileName: usb.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM usb.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7092"C:\Users\admin\Desktop\usb.exe" C:\Users\admin\Desktop\usb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\usb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(7092) usb.exe
C2august-birth.gl.at.ply.gg:55963
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time2
USB drop nameUSB.exe
Mutexo088IEmlALlc362F
Total events
4 201
Read events
4 186
Write events
15
Delete events
0

Modification events

(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7092) usb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usb_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7092usb.exeC:\Users\admin\AppData\Roaming\usb.exeexecutable
MD5:D50C403EB2BDD2D371EAF08C2D42E3B8
SHA256:33932BA589F1C502ADF8C762213978687BF8EC207D7929406A5711341C6B2801
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
64
DNS requests
7
Threats
74

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3900
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
7092
usb.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3900
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3900
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7092
usb.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ip-api.com
  • 208.95.112.1
shared
i.ibb.co
  • 162.19.58.157
  • 162.19.58.156
  • 162.19.58.158
  • 162.19.58.161
  • 162.19.58.160
  • 162.19.58.159
shared
august-birth.gl.at.ply.gg
  • 147.185.221.22
unknown

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Domain chain identified as Phishing (ipibb)
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Initial Packet
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
usb.exe