| File name: | da5268b1-b8ec-4de6-9e30-8436242fa66d |
| Full analysis: | https://app.any.run/tasks/d8cdf049-bccd-4bc1-8229-90e21b81cfcb |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | December 02, 2023, 17:18:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 72B51E28589FBEAC9400380DDDEDB79A |
| SHA1: | 4D14AB35E4425A8B1B1B655C2178B0EA2522E7F0 |
| SHA256: | 6CA01F81CC92345981212659AA05D5595A45E96A1F4A6F8678D21F1D24C96AA0 |
| SSDEEP: | 6144:/qkoB3pcFOKc4sFyYl1vuBMF7inx9fm5/VZLYS9fmIC:St3OFOKc4jeluBMF7gvmH5 |
MALICIOUS
Drops the executable file immediately after the start
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
- SECURITY AVAST.exe (PID: 1228)
Actions looks like stealing of personal data
- NitroRansomware.exe (PID: 3796)
Create files in the Startup directory
- SECURITY AVAST.exe (PID: 1228)
XWORM has been detected (YARA)
- SECURITY AVAST.exe (PID: 1228)
SUSPICIOUS
Reads the Internet Settings
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
- WMIC.exe (PID: 2620)
- NitroRansomware.exe (PID: 3796)
Connects to unusual port
- SECURITY AVAST.exe (PID: 1228)
Starts CMD.EXE for commands execution
- NitroRansomware.exe (PID: 3796)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 3048)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 2620)
INFO
Checks supported languages
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
- SECURITY AVAST.exe (PID: 1228)
- NitroRansomware.exe (PID: 3796)
Reads the computer name
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
- SECURITY AVAST.exe (PID: 1228)
- NitroRansomware.exe (PID: 3796)
Create files in a temporary directory
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
Reads the machine GUID from the registry
- da5268b1-b8ec-4de6-9e30-8436242fa66d.exe (PID: 564)
- SECURITY AVAST.exe (PID: 1228)
- NitroRansomware.exe (PID: 3796)
Reads Environment values
- NitroRansomware.exe (PID: 3796)
Creates files or folders in the user directory
- SECURITY AVAST.exe (PID: 1228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(1228) SECURITY AVAST.exe
C216.ip.gl.ply.gg:59539
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutexb5dIopJKeYh4Cm4x
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:02 14:07:06+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 181248 |
| InitializedDataSize: | 44032 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2e34e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 1.0.0.0 |
| InternalName: | D WAX.exe |
| LegalCopyright: | |
| OriginalFileName: | D WAX.exe |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
43
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 564 | "C:\Users\admin\Desktop\da5268b1-b8ec-4de6-9e30-8436242fa66d.exe" | C:\Users\admin\Desktop\da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1228 | "C:\Users\admin\AppData\Local\Temp\SECURITY AVAST.exe" | C:\Users\admin\AppData\Local\Temp\SECURITY AVAST.exe | da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | ||||||||||||
User: admin Company: Discord Inc. Integrity Level: MEDIUM Description: Discord - https://discord.com/ Exit code: 0 Version: 1.0.64.0 Modules
XWorm(PID) Process(1228) SECURITY AVAST.exe C216.ip.gl.ply.gg:59539 Keys AES<123456789> Options Splitter<Xwormmm> Sleep time3 USB drop nameUSB.exe Mutexb5dIopJKeYh4Cm4x | |||||||||||||||
| 2620 | wmic csproduct get uuid | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3048 | "cmd.exe" | C:\Windows\System32\cmd.exe | — | NitroRansomware.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3796 | "C:\Users\admin\AppData\Local\Temp\NitroRansomware.exe" | C:\Users\admin\AppData\Local\Temp\NitroRansomware.exe | da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: NitroRansomware Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
2 262
Read events
2 254
Write events
8
Delete events
0
Modification events
| (PID) Process: | (564) da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (564) da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (564) da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (564) da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 564 | da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | C:\Users\admin\AppData\Local\Temp\SECURITY AVAST.exe | executable | |
MD5:CCEBA0CA8ED89F7C181BCFBBD934C591 | SHA256:2F8785EF55401B2A906B9BC6A4D995BB58084C12577D39DAE5A32D49525AE629 | |||
| 1228 | SECURITY AVAST.exe | C:\Users\admin\AppData\Roaming\SECURITY AVAST.exe | executable | |
MD5:CCEBA0CA8ED89F7C181BCFBBD934C591 | SHA256:2F8785EF55401B2A906B9BC6A4D995BB58084C12577D39DAE5A32D49525AE629 | |||
| 564 | da5268b1-b8ec-4de6-9e30-8436242fa66d.exe | C:\Users\admin\AppData\Local\Temp\NitroRansomware.exe | executable | |
MD5:9D45FEDB0C67A1C04A89EDB3EE707D44 | SHA256:7019F42701A888986B9DDA599F0E8A6D21A762D409F539A05345778E39DE7865 | |||
| 1228 | SECURITY AVAST.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SECURITY AVAST.lnk | binary | |
MD5:0527539EAD4BB49735EFAC875AAC325B | SHA256:6815DD823C1564ED62E718002043398A927881C075C5ABA227A1431E56C82469 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
6
Threats
2
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3796 | NitroRansomware.exe | 173.231.16.77:443 | api.ipify.org | WEBNX | US | unknown |
1228 | SECURITY AVAST.exe | 147.185.221.16:59539 | 16.ip.gl.ply.gg | PLAYIT-GG | US | malicious |
3796 | NitroRansomware.exe | 104.237.62.212:443 | api.ipify.org | WEBNX | US | unknown |
3796 | NitroRansomware.exe | 64.185.227.156:443 | api.ipify.org | WEBNX | US | unknown |
3796 | NitroRansomware.exe | 162.159.136.232:443 | discord.com | CLOUDFLARENET | — | shared |
3796 | NitroRansomware.exe | 162.159.128.233:443 | discord.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.ipify.org |
| shared |
16.ip.gl.ply.gg |
| malicious |
dns.msftncsi.com |
| shared |
discord.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
1080 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |