File name:

Injector.exe

Full analysis: https://app.any.run/tasks/aa24e88d-be94-4563-8ce8-44f1c7d4ed9d
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 27, 2023, 22:40:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
xworm
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

D00E470526E33ABD9DEBD92345DB8D29

SHA1:

9B352C1D1752A87DE35868C669DEBA3D7312E383

SHA256:

72F848317230E9B09818547975B9F172CA195B7CFFA5596704F708875C3DE83E

SSDEEP:

3072:a254augv4Qx1FpesmNLSs0W69YIaqDUR3Q:/XQQx11mJSs05YIaqIR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Injector.exe (PID: 3320)
      • Windows Update Security.exe (PID: 3072)
      • Windows Update Security.exe (PID: 3352)

    • Adds path to the Windows Defender exclusion list

      • Windows Update Security.exe (PID: 3072)
      • svchost.com (PID: 2760)
      • svchost.com (PID: 304)

    • Changes powershell execution policy (Bypass)

      • svchost.com (PID: 2760)
      • svchost.com (PID: 304)
      • svchost.com (PID: 2996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3160)
      • powershell.exe (PID: 1844)
      • powershell.exe (PID: 3388)

    • Adds process to the Windows Defender exclusion list

      • Windows Update Security.exe (PID: 3072)
      • svchost.com (PID: 2996)

    • Uses Task Scheduler to run other applications

      • svchost.com (PID: 3468)

    • XWORM has been detected (YARA)

      • Windows Update Security.exe (PID: 3072)

    • Actions looks like stealing of personal data

      • svchost.com (PID: 2760)
      • Windows Update Security.exe (PID: 3352)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Injector.exe (PID: 3320)
      • Injector.exe (PID: 2864)
      • Windows Update Security.exe (PID: 3352)
      • Windows Update Security.exe (PID: 3072)
      • cmd.exe (PID: 1988)

    • Starts CMD.EXE for commands execution

      • Injector.exe (PID: 2864)

    • Executing commands from ".cmd" file

      • Injector.exe (PID: 2864)

    • Starts application with an unusual extension

      • Windows Update Security.exe (PID: 3072)

    • Powershell version downgrade attack

      • powershell.exe (PID: 3160)

    • Starts POWERSHELL.EXE for commands execution

      • svchost.com (PID: 2760)
      • svchost.com (PID: 304)
      • cmd.exe (PID: 1988)
      • svchost.com (PID: 2996)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1988)

    • Connects to unusual port

      • Windows Update Security.exe (PID: 3072)

    • Checks for external IP

      • Windows Update Security.exe (PID: 3072)

    • Get information on the list of running processes

      • cmd.exe (PID: 1988)

  • INFO

    • Checks supported languages

      • Windows Update Security.exe (PID: 3352)
      • Injector.exe (PID: 3320)
      • Injector.exe (PID: 2864)
      • Windows Update Security.exe (PID: 3072)
      • svchost.com (PID: 2760)

    • Reads the computer name

      • Injector.exe (PID: 3320)
      • Injector.exe (PID: 2864)
      • Windows Update Security.exe (PID: 3352)
      • Windows Update Security.exe (PID: 3072)

    • Create files in a temporary directory

      • Windows Update Security.exe (PID: 3352)

    • Reads Environment values

      • Windows Update Security.exe (PID: 3072)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1360)
      • svchost.com (PID: 2064)
      • verclsid.exe (PID: 608)

    • Reads the machine GUID from the registry

      • Windows Update Security.exe (PID: 3072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3072) Windows Update Security.exe
C216.ip.gl.ply.gg:42863
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutex89t2IzIiygrIVwn4
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 125440
UninitializedDataSize: -
EntryPoint: 0x1475
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
65
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start injector.exe injector.exe no specs windows update security.exe cmd.exe no specs timeout.exe no specs #XWORM windows update security.exe svchost.com powershell.exe no specs timeout.exe no specs wmpnscfg.exe no specs svchost.com no specs powershell.exe no specs svchost.com no specs powershell.exe no specs svchost.com no specs schtasks.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs timeout.exe no specs svchost.com no specs explorer.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs verclsid.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs injector.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Update Security.exe'C:\Windows\svchost.comWindows Update Security.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
544timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
608"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\System32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
732timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
856timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
948timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1232timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1360"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1448timeout /t 2 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1616timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 900
Read events
4 695
Write events
202
Delete events
3

Modification events

(PID) Process:(3320) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3320) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3320) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3320) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2864) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2864) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2864) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2864) Injector.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3352) Windows Update Security.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3352) Windows Update Security.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
49
Suspicious files
13
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:AD98B20199243808CDE0B5F0FD14B98F
SHA256:214F478E94658FA2BD7F0BC17022831BAEE707756798ADDB41D9C5BEE050E70B
2864Injector.exeC:\Windows\inject.cmdtext
MD5:0785DE8289398F5DCFD1F5CEC09F5E2B
SHA256:1F17A55A8886B0543CC85C2327B82F7C680700A18F55B82D511A2FBE025CDC79
3352Windows Update Security.exeC:\Windows\svchost.comexecutable
MD5:2F50ACA08FFC461C86E8FB5BBEDDA142
SHA256:D60208F3894F4556CAAE5ED2297C0EF1593A4A66F5AF8F3F2E44A8F2896BBF8E
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:754309B7B83050A50768236EE966224F
SHA256:ACD32DD903E5464B0ECD153FB3F71DA520D2E59A63D4C355D9C1874C919D04E6
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:754309B7B83050A50768236EE966224F
SHA256:ACD32DD903E5464B0ECD153FB3F71DA520D2E59A63D4C355D9C1874C919D04E6
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exeexecutable
MD5:DC6114CF663CCDB1E55D37E6501C54CC
SHA256:D566164C874EF66149B493E3220616CDB9090A8CEBB4A1325C48C705AEA5C348
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exeexecutable
MD5:248A8DF8E662DFCA1DB4F7160E1A972B
SHA256:6C7ABEEBD50487CA33315F5E507C9A5346E6E7A4B732103B35B8006ED58D7BB2
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:AD98B20199243808CDE0B5F0FD14B98F
SHA256:214F478E94658FA2BD7F0BC17022831BAEE707756798ADDB41D9C5BEE050E70B
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:AD98B20199243808CDE0B5F0FD14B98F
SHA256:214F478E94658FA2BD7F0BC17022831BAEE707756798ADDB41D9C5BEE050E70B
3352Windows Update Security.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:754309B7B83050A50768236EE966224F
SHA256:ACD32DD903E5464B0ECD153FB3F71DA520D2E59A63D4C355D9C1874C919D04E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
4
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3072
Windows Update Security.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
3072
Windows Update Security.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3072
Windows Update Security.exe
147.185.221.16:42863
16.ip.gl.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
16.ip.gl.ply.gg
  • 147.185.221.16
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3072
Windows Update Security.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3072
Windows Update Security.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3072
Windows Update Security.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Injector.exe