| File name: | main.exe |
| Full analysis: | https://app.any.run/tasks/bd00d989-2473-4eff-93ac-9c98770126e8 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | April 10, 2025, 18:27:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 83E9A519C5FBC4280436E8920CD1659E |
| SHA1: | AF7B0A0A471F5919E94A62EF75B03BB7B3D3225B |
| SHA256: | 4F94178EBC8D9CD2753BBFD018F0EB931AC69026B4A53E74688B4F8F9D236AE2 |
| SSDEEP: | 98304:71T2Q60Leb2h1Qt3ELnQu33ufgnro0tHfktEzafhOsE+XZ0SJQHo2PhbpnhVxJL8:6mryrqB881mwJ2iRjOum1 |
MALICIOUS
Create files in the Startup directory
- sysload.exe (PID: 1760)
XWORM has been detected (YARA)
- sysload.exe (PID: 1760)
XWORM has been detected (SURICATA)
- sysload.exe (PID: 1760)
Starts CMD.EXE for self-deleting
- main.exe (PID: 7408)
SUSPICIOUS
The process drops C-runtime libraries
- main.exe (PID: 7376)
Executable content was dropped or overwritten
- main.exe (PID: 7376)
- main.exe (PID: 7408)
- sysload.exe (PID: 1760)
Process drops python dynamic module
- main.exe (PID: 7376)
Process drops legitimate windows executable
- main.exe (PID: 7376)
Application launched itself
- main.exe (PID: 7376)
Loads Python modules
- main.exe (PID: 7408)
Uses WMIC.EXE to obtain BIOS management information
- cmd.exe (PID: 7432)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 7600)
Starts CMD.EXE for commands execution
- main.exe (PID: 7408)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 7656)
Uses WMIC.EXE to obtain computer system information
- cmd.exe (PID: 7700)
- cmd.exe (PID: 7812)
- cmd.exe (PID: 7940)
- cmd.exe (PID: 7928)
Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)
- cmd.exe (PID: 7916)
- cmd.exe (PID: 8024)
Get information on the list of running processes
- cmd.exe (PID: 7668)
- main.exe (PID: 7408)
The process checks if it is being run in the virtual environment
- main.exe (PID: 7408)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7776)
There is functionality for taking screenshot (YARA)
- main.exe (PID: 7376)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 8188)
Hides command output
- cmd.exe (PID: 8188)
The executable file from the user directory is run by the CMD process
- sysload.exe (PID: 1760)
Probably fake Windows Update file has been dropped
- sysload.exe (PID: 1760)
Contacting a server suspected of hosting an CnC
- sysload.exe (PID: 1760)
Connects to unusual port
- sysload.exe (PID: 1760)
INFO
Reads the computer name
- main.exe (PID: 7376)
- main.exe (PID: 7408)
- sysload.exe (PID: 1760)
Checks supported languages
- main.exe (PID: 7376)
- main.exe (PID: 7408)
- sysload.exe (PID: 1760)
The sample compiled with english language support
- main.exe (PID: 7376)
Create files in a temporary directory
- main.exe (PID: 7376)
- main.exe (PID: 7408)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 7488)
- WMIC.exe (PID: 7656)
- WMIC.exe (PID: 7760)
- WMIC.exe (PID: 7872)
- WMIC.exe (PID: 7976)
- WMIC.exe (PID: 8080)
- WMIC.exe (PID: 8076)
- WMIC.exe (PID: 7964)
Displays MAC addresses of computer network adapters
- getmac.exe (PID: 7516)
Checks proxy server information
- main.exe (PID: 7408)
- slui.exe (PID: 6752)
PyInstaller has been detected (YARA)
- main.exe (PID: 7376)
Reads the machine GUID from the registry
- sysload.exe (PID: 1760)
Reads the software policy settings
- slui.exe (PID: 6752)
Creates files or folders in the user directory
- sysload.exe (PID: 1760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(1760) sysload.exe
C2127.0.0.1,80.57.135.160,animal-adidas.gl.at.ply.gg,saw-painted.gl.at.ply.gg:27137
Keys
AES<SIMPLE>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameSCYLLA
MutexnnDk7JDKF6LNAjAi
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:04:10 16:23:57+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 173568 |
| InitializedDataSize: | 155648 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xce20 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
180
Monitored processes
55
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1760 | C:\Users\admin\AppData\Local\Temp\sysload.exe | C:\Users\admin\AppData\Local\Temp\sysload.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Version: 1.0.0.0 Modules
XWorm(PID) Process(1760) sysload.exe C2127.0.0.1,80.57.135.160,animal-adidas.gl.at.ply.gg,saw-painted.gl.at.ply.gg:27137 Keys AES<SIMPLE> Options Splitter<Xwormmm> Sleep time3 USB drop nameSCYLLA MutexnnDk7JDKF6LNAjAi | |||||||||||||||
| 2136 | timeout /t 3 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2516 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3676 | C:\WINDOWS\system32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters"" | C:\Windows\System32\cmd.exe | — | main.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4220 | C:\WINDOWS\system32\cmd.exe /c "reg query "HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion"" | C:\Windows\System32\cmd.exe | — | main.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5376 | C:\WINDOWS\system32\cmd.exe /c "reg query "HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion"" | C:\Windows\System32\cmd.exe | — | main.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6028 | reg query "HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6032 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
11 860
Read events
11 860
Write events
0
Delete events
0
Modification events
Executable files
55
Suspicious files
3
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\VCRUNTIME140.dll | executable | |
MD5:32DA96115C9D783A0769312C0482A62D | SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\_socket.pyd | executable | |
MD5:0106EE3F61A54D922190B3A01C81A453 | SHA256:C22DF48785B684A8EBEAEF5ABFC35840A6B67926BC0366214D74842F7B71D6BA | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\_decimal.pyd | executable | |
MD5:240A03069D6968741B703D026337AD2C | SHA256:E23C58ACB7B4A85DE32F9FEAE60AC85F9E4580409BACA5D36EC4777F0528F3AF | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0 | SHA256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\_lzma.pyd | executable | |
MD5:7C25A079B992919CC97221955DAC050C | SHA256:7EA254E37D820EAB6E9D312C390D1039EDB78C8B7D913F5A86A91CB0261CE3FF | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796 | SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59 | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\_ssl.pyd | executable | |
MD5:ED9242721197FD84231B38E6B42F3F55 | SHA256:6F4E1FCFC8239BFF5F7FBCA5AD804832D6708B5F6DBFCCE47405D7D3750555FF | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:33BBECE432F8DA57F17BF2E396EBAA58 | SHA256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:E89CDCD4D95CDA04E4ABBA8193A5B492 | SHA256:1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238 | |||
| 7376 | main.exe | C:\Users\admin\AppData\Local\Temp\_MEI73762\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:1C58526D681EFE507DEB8F1935C75487 | SHA256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
53
DNS requests
20
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/PEGASUSAnticheat/PegasusServerListener/releases/download/Siidmax/svhost.exe | unknown | — | — | — |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
7716 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7716 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 40.126.32.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7408 | main.exe | 140.82.121.3:443 | github.com | GITHUB | US | whitelisted |
7408 | main.exe | 185.199.108.133:443 | objects.githubusercontent.com | FASTLY | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
github.com |
| whitelisted |
objects.githubusercontent.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Attempted Information Leak | ET INFO Python-urllib/ Suspicious User Agent |
— | — | Attempted Information Leak | ET INFO Python-urllib/ Suspicious User Agent |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg) |
— | — | Misc activity | ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg) |
— | — | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
— | — | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm Network Packet |
— | — | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm Network Packet |