| File name: | 250517-r46c9avpt4_pw_infected.zip |
| Full analysis: | https://app.any.run/tasks/cbc8ae7e-97f3-45df-ab34-68fa07fc1ac3 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | May 17, 2025, 15:15:42 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=AES Encrypted |
| MD5: | 8CDC306C29046B7377CD4B863A4086D1 |
| SHA1: | 6D6B9B2EF5DEF50C5B0424428AA58DD80FD7AD57 |
| SHA256: | 67C3B0D543BC053E4FFDA85EF1611CABBCD23AFE45C266AEB0DC98A62E3BE704 |
| SSDEEP: | 3072:Jx8RiIJWjdBvLNQoMBPcYebVH1Eh+EOCQIJCQZR0mYNlxbCf5Y/:JPIJWjfDiFuhhCQIJIN0fI |
MALICIOUS
Known privilege escalation attack
- dllhost.exe (PID: 7144)
Changes Windows Defender settings
- e3.exe (PID: 3332)
Changes powershell execution policy (Bypass)
- e3.exe (PID: 3332)
Adds path to the Windows Defender exclusion list
- e3.exe (PID: 3332)
Bypass execution policy to execute commands
- powershell.exe (PID: 2040)
- powershell.exe (PID: 6036)
Adds process to the Windows Defender exclusion list
- e3.exe (PID: 3332)
Create files in the Startup directory
- WUDFHost.exe (PID: 4200)
XWORM has been detected (SURICATA)
- WUDFHost.exe (PID: 4200)
SUSPICIOUS
Reads security settings of Internet Explorer
- e3.exe (PID: 5512)
- e3.exe (PID: 3332)
Reads the date of Windows installation
- e3.exe (PID: 5512)
- e3.exe (PID: 3332)
Probably UAC bypass using CMSTP.exe (Connection Manager service profile)
- e3.exe (PID: 5512)
Runs shell command (SCRIPT)
- mshta.exe (PID: 968)
- mshta.exe (PID: 4920)
Executes as Windows Service
- VSSVC.exe (PID: 6252)
Script adds exclusion path to Windows Defender
- e3.exe (PID: 3332)
Starts POWERSHELL.EXE for commands execution
- e3.exe (PID: 3332)
The process creates files with name similar to system file names
- e3.exe (PID: 3332)
Script adds exclusion process to Windows Defender
- e3.exe (PID: 3332)
Executable content was dropped or overwritten
- e3.exe (PID: 3332)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 5072)
Contacting a server suspected of hosting an CnC
- WUDFHost.exe (PID: 4200)
Executing commands from a ".bat" file
- e3.exe (PID: 3332)
Starts CMD.EXE for commands execution
- e3.exe (PID: 3332)
- mshta.exe (PID: 4920)
The process executes via Task Scheduler
- WUDFHost.exe (PID: 4200)
Connects to unusual port
- WUDFHost.exe (PID: 4200)
Uses TASKKILL.EXE to kill process
- mshta.exe (PID: 968)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1020)
Checks supported languages
- e3.exe (PID: 5512)
- WUDFHost.exe (PID: 4200)
- e3.exe (PID: 3332)
Manual execution by a user
- e3.exe (PID: 5512)
- WinRAR.exe (PID: 7428)
- msedge.exe (PID: 6208)
Reads the machine GUID from the registry
- e3.exe (PID: 5512)
- WUDFHost.exe (PID: 4200)
Reads the computer name
- e3.exe (PID: 5512)
- e3.exe (PID: 3332)
- WUDFHost.exe (PID: 4200)
Process checks computer location settings
- e3.exe (PID: 5512)
- e3.exe (PID: 3332)
Disables trace logs
- cmstp.exe (PID: 1164)
Checks transactions between databases Windows and Oracle
- cmstp.exe (PID: 1164)
Reads Internet Explorer settings
- mshta.exe (PID: 4920)
- mshta.exe (PID: 968)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6036)
- powershell.exe (PID: 2040)
Create files in a temporary directory
- e3.exe (PID: 3332)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 2040)
- powershell.exe (PID: 6036)
Creates files or folders in the user directory
- WUDFHost.exe (PID: 4200)
- e3.exe (PID: 3332)
Application launched itself
- msedge.exe (PID: 6208)
Reads the software policy settings
- slui.exe (PID: 4220)
Creates files in the program directory
- dllhost.exe (PID: 7144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 111118 |
| ZipUncompressedSize: | 229376 |
| ZipFileName: | 250517-rqp44shj8v.bin |
Total processes
196
Monitored processes
60
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 232 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5928 --field-trial-handle=2396,i,15443711783371428693,13375352591372481556,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 336 | timeout 3 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6956 --field-trial-handle=2396,i,15443711783371428693,13375352591372481556,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 968 | mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close") | C:\Windows\System32\mshta.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1020 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\250517-r46c9avpt4_pw_infected.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1132 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | "C:\WINDOWS\system32\cmstp.exe" /au C:\WINDOWS\temp\vgscjlno.inf | C:\Windows\System32\cmstp.exe | — | e3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 1 Version: 7.2.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1748 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7192 --field-trial-handle=2396,i,15443711783371428693,13375352591372481556,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2040 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\WUDFHost.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | e3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
21 661
Read events
21 554
Write events
107
Delete events
0
Modification events
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\250517-r46c9avpt4_pw_infected.zip | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1020) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (1164) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
32
Suspicious files
408
Text files
86
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF125bf3.TMP | — | |
MD5:— | SHA256:— | |||
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6036 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5u2ecmty.kef.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2040 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:D16D14F4AE0B2808434B1B15F90C4F17 | SHA256:4B4ABC471216B71F3DB395EE3C01711D9BAE8AFED493BCE61896B3ED62E22ED8 | |||
| 2040 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zat2eaa2.3mn.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1020 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1020.27200\250517-rqp44shj8v.bin | executable | |
MD5:665667F99C45FB7A0A90C4F13C8BC669 | SHA256:8A49221037F9C59ACB0C5063920437174B6FDCE88C900E39BD99C2228CA01B7D | |||
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF125c12.TMP | — | |
MD5:— | SHA256:— | |||
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF125c12.TMP | — | |
MD5:— | SHA256:— | |||
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6208 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
94
DNS requests
91
Threats
27
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
2088 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2088 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2112 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.31.128:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
member-sought.gl.at.ply.gg |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg) |
2196 | svchost.exe | Misc activity | ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg) |
2196 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
4200 | WUDFHost.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Initial Packet |
4200 | WUDFHost.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Initial Packet |
3888 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
3888 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
3888 | msedge.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io) |
3888 | msedge.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io) |
3888 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |