| File name: | LOADER.exe |
| Full analysis: | https://app.any.run/tasks/1af85be2-a7b2-4127-ad5d-86c28313cc41 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | November 30, 2023, 20:52:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | C70C9F0B281AF0E70B6EF81B60498FEF |
| SHA1: | 47D29FA04EE96E426D942AF8246349DDFECC7A8C |
| SHA256: | 9E4B8FA628C8D93B7A63F57E07CEFE245820D5356EE1FE93D7EFEF5096A29AB3 |
| SSDEEP: | 98304:77pwh0ueWm4xFL2pH4BOQXGLsaIby5aZPpzC+xV8w1TLZRdWBJ6lURUhZup+Gz0A:+3jg8 |
MALICIOUS
Known privilege escalation attack
- dllhost.exe (PID: 2460)
Bypass execution policy to execute commands
- powershell.exe (PID: 3188)
- powershell.exe (PID: 3016)
Adds path to the Windows Defender exclusion list
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Changes powershell execution policy (Bypass)
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Uses Task Scheduler to autorun other applications
- LOADER.exe (PID: 2776)
Drops the executable file immediately after the start
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Application was injected by another process
- dllhost.exe (PID: 1992)
Runs injected code in another process
- dllhost.exe (PID: 3384)
XWORM has been detected (YARA)
- dllhost.exe (PID: 3384)
SUSPICIOUS
Reads the Internet Settings
- LOADER.exe (PID: 2692)
- LOADER.exe (PID: 2776)
- mshta.exe (PID: 1860)
- conhost.exe (PID: 2336)
Probably UAC bypass using CMSTP.exe (Connection Manager service profile)
- LOADER.exe (PID: 2692)
Starts POWERSHELL.EXE for commands execution
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Script adds exclusion path to Windows Defender
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Powershell version downgrade attack
- powershell.exe (PID: 3188)
- powershell.exe (PID: 3016)
The process creates files with name similar to system file names
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
Process drops legitimate windows executable
- LOADER.exe (PID: 2776)
Starts CMD.EXE for commands execution
- LOADER.exe (PID: 2776)
Executing commands from a ".bat" file
- LOADER.exe (PID: 2776)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 3144)
Runs shell command (SCRIPT)
- mshta.exe (PID: 1860)
Uses TASKKILL.EXE to kill process
- mshta.exe (PID: 1860)
Connects to unusual port
- dllhost.exe (PID: 3384)
INFO
Reads the computer name
- LOADER.exe (PID: 2692)
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
- dllhost.exe (PID: 3384)
Checks supported languages
- LOADER.exe (PID: 2692)
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
- dllhost.exe (PID: 3384)
Reads the machine GUID from the registry
- LOADER.exe (PID: 2692)
- LOADER.exe (PID: 2776)
- conhost.exe (PID: 2336)
- dllhost.exe (PID: 3384)
Checks transactions between databases Windows and Oracle
- cmstp.exe (PID: 3128)
Creates files in the program directory
- dllhost.exe (PID: 2460)
- LOADER.exe (PID: 2776)
Create files in a temporary directory
- LOADER.exe (PID: 2776)
Reads Internet Explorer settings
- mshta.exe (PID: 1860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(3384) dllhost.exe
C2adult-purchased.gl.at.ply.gg:13795
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexYKZiG1I5L0tBR5Fs
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:11:17 23:44:39+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 2706944 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x296c3e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 1.0.0.0 |
| InternalName: | LOADER.exe |
| LegalCopyright: | |
| OriginalFileName: | LOADER.exe |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
58
Monitored processes
14
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1860 | mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close") | C:\Windows\System32\mshta.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 1984 | "C:\Windows\System32\schtasks.exe" /Create /F /TN "conhost" /SC ONLOGON /TR "C:\ProgramData\conhost.exe" /RL HIGHEST | C:\Windows\System32\schtasks.exe | — | LOADER.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1992 | C:\Windows\System32\dllhost.exe /Processid:{5e6e760c-34c8-4e45-a409-e1732e3c5d01} | C:\Windows\System32\dllhost.exe | winlogon.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2336 | "C:\ProgramData\conhost.exe" | C:\ProgramData\conhost.exe | — | LOADER.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.3636 Modules
| |||||||||||||||
| 2460 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2468 | timeout 3 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2692 | "C:\Users\admin\Desktop\LOADER.exe" | C:\Users\admin\Desktop\LOADER.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2776 | "C:\Users\admin\Desktop\LOADER.exe" | C:\Users\admin\Desktop\LOADER.exe | dllhost.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3016 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\dllhost.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | conhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3128 | "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\ljqssqg5.inf | C:\Windows\System32\cmstp.exe | — | LOADER.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 1 Version: 7.02.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 274
Read events
4 134
Write events
140
Delete events
0
Modification events
| (PID) Process: | (2692) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2692) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2692) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2692) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2776) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2776) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2776) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2776) LOADER.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3188) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1860) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
4
Suspicious files
6
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PEYT3P5JFUNQ508IK6XJ.temp | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 3188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1bf9ae.TMP | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 3016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:CA634235B5FD9FD2EEF42F86BE53830B | SHA256:3405CBB89EE7E4E05929CDFFDA9BD47FA3B1D92452FEC5D9BC953C4BB00B81B0 | |||
| 2336 | conhost.exe | C:\Users\Public\dllhost.exe | executable | |
MD5:FEABF0FF241A638B4ACE4348A009C1B2 | SHA256:13C58F1E2316A885A2D5A3AA1C58D8F5CB9BF5AA3C589F0BB4BF64C372066A5B | |||
| 2692 | LOADER.exe | C:\Windows\temp\ljqssqg5.inf | text | |
MD5:AE74602998DDEF8031CA49B476714906 | SHA256:81143F060C67F456D70C0D15B43698D12C1B5AB5B8CA872CA8421442A22A4EC6 | |||
| 2776 | LOADER.exe | C:\Users\admin\AppData\Local\Temp\tmpFBE1.tmp.bat | text | |
MD5:19B7700E2D945CB1F555FEC14C18F984 | SHA256:406C8898BB73F9C0F5A0327DBBF3E7A48CC8BE69721A6C2F1A14F8864B63AA6E | |||
| 3016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMB6BRPVN7IWFY6DKGAZ.temp | binary | |
MD5:CA634235B5FD9FD2EEF42F86BE53830B | SHA256:3405CBB89EE7E4E05929CDFFDA9BD47FA3B1D92452FEC5D9BC953C4BB00B81B0 | |||
| 3016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1c068f.TMP | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 3188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 2776 | LOADER.exe | C:\ProgramData\conhost.exe | executable | |
MD5:BF07B7D5427443878FFAE8E87E545290 | SHA256:22E12C06D1D27ACCFBF7BEAB396DA35BC73CBFCE224285B7627D4F76D8023506 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3384 | dllhost.exe | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | PLAYIT-GG | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
adult-purchased.gl.at.ply.gg |
| malicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |