| File name: | ccc.exe |
| Full analysis: | https://app.any.run/tasks/c11d401e-d0c5-4143-83f0-c0bb320dd2c6 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | May 17, 2024, 16:40:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 7BC1EF7D4E0947BA7162FE3A84E44175 |
| SHA1: | 1E54AB7B923A7BD3CF1B66638693C6A23BCA73D9 |
| SHA256: | 695408638EFF37D45646B123B30A423D908076DF15ADDFDC4D0AD556D04532DA |
| SSDEEP: | 1536:N5gT6TvJmwVs5kb+XBu7MP2WRXAUOlOo6:w9wVs5kb+Ru5WRFOlX6 |
MALICIOUS
XWORM has been detected (YARA)
- ccc.exe (PID: 3960)
Drops the executable file immediately after the start
- ccc.exe (PID: 3960)
SUSPICIOUS
Reads settings of System Certificates
- ccc.exe (PID: 3960)
Connects to unusual port
- ccc.exe (PID: 3960)
Reads the Internet Settings
- ccc.exe (PID: 3960)
Executing commands from a ".bat" file
- ccc.exe (PID: 3960)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 112)
Starts CMD.EXE for commands execution
- ccc.exe (PID: 3960)
INFO
Disables trace logs
- ccc.exe (PID: 3960)
Checks supported languages
- ccc.exe (PID: 3960)
- wmpnscfg.exe (PID: 928)
Reads the computer name
- ccc.exe (PID: 3960)
- wmpnscfg.exe (PID: 928)
Reads Environment values
- ccc.exe (PID: 3960)
Reads the software policy settings
- ccc.exe (PID: 3960)
Reads the machine GUID from the registry
- ccc.exe (PID: 3960)
Manual execution by a user
- wmpnscfg.exe (PID: 928)
Create files in a temporary directory
- ccc.exe (PID: 3960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(3960) ccc.exe
C2https://pastebin.com/raw/bN2vmgy2:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep time<3
USB drop nameUSB.exe
MutexdKJYKYMSDWtRHdUO
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:05:17 16:40:08+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 52224 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xeaee |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 1.0.0.0 |
| InternalName: | ccc.exe |
| LegalCopyright: | |
| OriginalFileName: | ccc.exe |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp1049.tmp.bat"" | C:\Windows\System32\cmd.exe | — | ccc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 928 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1872 | timeout 3 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3960 | "C:\Users\admin\AppData\Local\Temp\ccc.exe" | C:\Users\admin\AppData\Local\Temp\ccc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
XWorm(PID) Process(3960) ccc.exe C2https://pastebin.com/raw/bN2vmgy2:<123456789> Keys AES<Xwormmm> Options Splitter3 Sleep time<3 USB drop nameUSB.exe MutexdKJYKYMSDWtRHdUO | |||||||||||||||
Total events
4 379
Read events
4 353
Write events
26
Delete events
0
Modification events
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASMANCS |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3960) ccc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ccc_RASMANCS |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3960 | ccc.exe | C:\Users\admin\AppData\Local\Temp\tmp1049.tmp.bat | text | |
MD5:7CA9C15A87A64EF3B79838212146FF60 | SHA256:B02205AA4AE6F628BAB0E0E2997778EC397DFDB38D5DC82EC5D0B93388986AFC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
19
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
3960 | ccc.exe | 104.20.4.235:443 | pastebin.com | CLOUDFLARENET | — | unknown |
3960 | ccc.exe | 176.96.137.11:6000 | — | dataforest GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pastebin.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm Network Packet |
18 ETPRO signatures available at the full report