File name:

Rundll32.exe

Full analysis: https://app.any.run/tasks/da18ffaa-a960-40a3-b860-39ca0efb0e30
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 28, 2024, 18:38:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

4D2969D5D0BC17E103F3B2C94BD474BD

SHA1:

DEB93D68B81149D8BD3F3476D3D0A8BA06F5EEFC

SHA256:

7ADE12BDEE6D826DB8DC1D743F5B48967B25EC76A80D1C2B3A64C0C2CD4A2C24

SSDEEP:

1536:4dHkwgpnOSc6GPjbrB5+p0Vr6I4fG8OZB:4tvMc6CbrWOlYOZB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Rundll32.exe (PID: 5752)

    • XWORM has been detected (YARA)

      • Rundll32.exe (PID: 5752)

    • Uses Task Scheduler to run other applications

      • Rundll32.exe (PID: 5752)

    • XWORM has been detected (SURICATA)

      • Rundll32.exe (PID: 5752)

    • Create files in the Startup directory

      • Rundll32.exe (PID: 5752)

    • Connects to the CnC server

      • Rundll32.exe (PID: 5752)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Rundll32.exe (PID: 5752)

    • Checks for external IP

      • Rundll32.exe (PID: 5752)
      • svchost.exe (PID: 2192)

    • Executable content was dropped or overwritten

      • Rundll32.exe (PID: 5752)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2192)

    • Reads security settings of Internet Explorer

      • Rundll32.exe (PID: 5752)

    • Contacting a server suspected of hosting an CnC

      • Rundll32.exe (PID: 5752)

    • Connects to unusual port

      • Rundll32.exe (PID: 5752)

  • INFO

    • Disables trace logs

      • Rundll32.exe (PID: 5752)

    • Reads the computer name

      • Rundll32.exe (PID: 5752)

    • Reads Environment values

      • Rundll32.exe (PID: 5752)

    • Creates files or folders in the user directory

      • Rundll32.exe (PID: 5752)

    • The process uses the downloaded file

      • Rundll32.exe (PID: 5752)

    • Checks supported languages

      • Rundll32.exe (PID: 5752)

    • Checks proxy server information

      • Rundll32.exe (PID: 5752)

    • Creates files in the program directory

      • Rundll32.exe (PID: 5752)

    • Reads the machine GUID from the registry

      • Rundll32.exe (PID: 5752)

    • Process checks computer location settings

      • Rundll32.exe (PID: 5752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(5752) Rundll32.exe
C2mbaper-28496.portmap.host:28833
Keys
AES(<123456789>)
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexC7COFI6joTtkDKNZ
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:28 17:48:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 61440
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x10e0e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Rundll32.exe
LegalCopyright:
OriginalFileName: Rundll32.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XWORM rundll32.exe svchost.exe schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4128"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn " " /tr "C:\ProgramData\ .exe"C:\Windows\System32\schtasks.exeRundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5752"C:\Users\admin\Desktop\Rundll32.exe" C:\Users\admin\Desktop\Rundll32.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(5752) Rundll32.exe
C2mbaper-28496.portmap.host:28833
Keys
AES(<123456789>)
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexC7COFI6joTtkDKNZ
Total events
1 707
Read events
1 692
Write events
15
Delete events
0

Modification events

(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5752) Rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Rundll32_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5752Rundll32.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnkbinary
MD5:BD37CBC76C018D3D27A4B4385DEED1DC
SHA256:1E7945FB03244E13C1650F81F699B6429A4B862E9EE26099A380AE40841A4F87
5752Rundll32.exeC:\ProgramData\ .exeexecutable
MD5:4D2969D5D0BC17E103F3B2C94BD474BD
SHA256:7ADE12BDEE6D826DB8DC1D743F5B48967B25EC76A80D1C2B3A64C0C2CD4A2C24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
9
Threats
41

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
svchost.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5752
Rundll32.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4024
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
104.126.37.155:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4024
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4024
svchost.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5752
Rundll32.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
4712
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4024
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.147
whitelisted
ip-api.com
  • 208.95.112.1
shared
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.138
  • 104.126.37.139
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.186
  • 104.126.37.146
  • 104.126.37.155
  • 104.126.37.130
whitelisted
mbaper-28496.portmap.host
  • 193.161.193.99
malicious
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5752
Rundll32.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
5752
Rundll32.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2192
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2192
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
5752
Rundll32.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
34 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Rundll32.exe