Malware analysis /asafzss/XWORM-5.6/raw/refs/heads/main/XWorm%20V5.6.exe Malicious activity

Add for printing

download:	/asafzss/XWORM-5.6/raw/refs/heads/main/XWorm%20V5.6.exe
Full analysis:	https://app.any.run/tasks/8d974012-b880-482f-a35f-68a0808a2e33
Verdict:	Malicious activity
Analysis date:	January 11, 2025, 21:57:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	F8A31A0A95B3839A31FD971DBB4633EF
SHA1:	402E3B3FCDE07138AD518057715B8C1FC14F0029
SHA256:	ADD19A9DB4730F41575FB951E9AEC6DCF35D8DB2CB94CBA896667881467E6FD5
SSDEEP:	12288:rkRXH8xGm7qRFLyX17TpCq8d9Ly6/3gnXiT/aN73JjJZE61XkKRJ9XRhg09j:rkR38xV7IL617Tph8dB1/gnXiTSN75jL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Bypass)
  - SecurityHealthSystray.exe (PID: 6728)
- Adds path to the Windows Defender exclusion list
  - SecurityHealthSystray.exe (PID: 6728)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7020)
  - powershell.exe (PID: 2612)
  - powershell.exe (PID: 5592)
  - powershell.exe (PID: 6012)
- Adds process to the Windows Defender exclusion list
  - SecurityHealthSystray.exe (PID: 6728)
- Changes the autorun value in the registry
  - SecurityHealthSystray.exe (PID: 6728)
- Uses Task Scheduler to run other applications
  - SecurityHealthSystray.exe (PID: 6728)
- Create files in the Startup directory
  - SecurityHealthSystray.exe (PID: 6728)
SUSPICIOUS
- Reads the date of Windows installation
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Reads security settings of Internet Explorer
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Application launched itself
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
- Executable content was dropped or overwritten
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Process drops legitimate windows executable
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Starts a Microsoft application from unusual location
  - SecurityHealthSystray.exe (PID: 6728)
- Read disk information to detect sandboxing environments
  - SecurityHealthSystray.exe (PID: 6728)
- Reads the BIOS version
  - SecurityHealthSystray.exe (PID: 6728)
- The process checks if it is being run in the virtual environment
  - SecurityHealthSystray.exe (PID: 6728)
- Script adds exclusion path to Windows Defender
  - SecurityHealthSystray.exe (PID: 6728)
- Starts POWERSHELL.EXE for commands execution
  - SecurityHealthSystray.exe (PID: 6728)
- Script adds exclusion process to Windows Defender
  - SecurityHealthSystray.exe (PID: 6728)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 2192)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - SecurityHealthSystray.exe (PID: 6728)
- Connects to unusual port
  - SecurityHealthSystray.exe (PID: 6728)
INFO
- Checks supported languages
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Reads the computer name
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- The process uses the downloaded file
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Process checks computer location settings
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 2632)
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Reads the machine GUID from the registry
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
  - SecurityHealthSystray.exe (PID: 6728)
- Create files in a temporary directory
  - 8d974012-b880-482f-a35f-68a0808a2e33.exe (PID: 6460)
- Reads Environment values
  - SecurityHealthSystray.exe (PID: 6728)
- Sends debugging messages
  - SecurityHealthSystray.exe (PID: 6728)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7020)
  - powershell.exe (PID: 5592)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 2612)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 7020)
  - powershell.exe (PID: 5592)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 2612)
- Disables trace logs
  - SecurityHealthSystray.exe (PID: 6728)
- Creates files or folders in the user directory
  - SecurityHealthSystray.exe (PID: 6728)
- Checks proxy server information
  - SecurityHealthSystray.exe (PID: 6728)
- Reads the software policy settings
  - SecurityHealthSystray.exe (PID: 6728)
- Attempting to use instant messaging service
  - SecurityHealthSystray.exe (PID: 6728)
  - svchost.exe (PID: 2192)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:02 23:31:35+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	308224
InitializedDataSize:	140800
UninitializedDataSize:	-
EntryPoint:	0x4d3be
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	5.6.0.0
ProductVersionNumber:	5.6.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	XCoder
FileDescription:	XWorm
FileVersion:	5.6.0.0
InternalName:	XWorm V5.2.exe
LegalCopyright:	Copyright © 2024
OriginalFileName:	XWorm V5.2.exe
ProductName:	XWorm
ProductVersion:	5.6.0.0
AssemblyVersion:	5.6.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

143

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2600

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2612

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

SecurityHealthSystray.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll

2632

"C:\Users\admin\AppData\Local\Temp\8d974012-b880-482f-a35f-68a0808a2e33.exe"

C:\Users\admin\AppData\Local\Temp\8d974012-b880-482f-a35f-68a0808a2e33.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

XWorm

Exit code:

Version:

5.6.0.0

Modules

Images
c:\users\admin\appdata\local\temp\8d974012-b880-482f-a35f-68a0808a2e33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3288

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5576

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5592

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

SecurityHealthSystray.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll

6012

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

SecurityHealthSystray.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll

6460

"C:\Users\admin\AppData\Local\Temp\8d974012-b880-482f-a35f-68a0808a2e33.exe"

C:\Users\admin\AppData\Local\Temp\8d974012-b880-482f-a35f-68a0808a2e33.exe

8d974012-b880-482f-a35f-68a0808a2e33.exe

User:

admin

Integrity Level:

HIGH

Description:

XWorm

Exit code:

Version:

5.6.0.0

Modules

Images
c:\users\admin\appdata\local\temp\8d974012-b880-482f-a35f-68a0808a2e33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6672

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\admin\AppData\Roaming\SecurityHealthSystray.exe"

C:\Windows\System32\schtasks.exe

—

SecurityHealthSystray.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

24 133

Read events

24 118

Write events

Delete events

Modification events


(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SecurityHealthSystray
Value: C:\Users\admin\AppData\Roaming\SecurityHealthSystray.exe
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6728) SecurityHealthSystray.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecurityHealthSystray_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2612	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5b2c5m2u.asd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7020	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:8F9D78B29472154558F9231F29A33C61	SHA256:7BA3901B23C0C043713E093E26EA9C07F5D4A6FCA7F72B358308D05D694B5E91
5592	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_13cweb02.vz1.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2612	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wzswtj2t.0vw.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6012	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vreffgi0.ats.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7020	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nlmjzzrl.ntf.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6728	SecurityHealthSystray.exe	C:\Users\admin\AppData\Roaming\SecurityHealthSystray.exe		executable
		MD5:748F64715460739E1E15952636DA2D9C	SHA256:47AA1D54BAC9E15616A44B4CD0C85C4B55952EEDEA99A9E143B26CB31B751D25
6728	SecurityHealthSystray.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk		binary
		MD5:3E71755D8E1DE92099E081656BF71589	SHA256:02EAC933A3DD7514B41414F79CBE77F88BB69F7A7AE57E64A35688902F533694
7020	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gk0hdfdj.y32.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5592	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0zbjmy0x.0lz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6152	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7084	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7084	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.170:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 20.73.194.208	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	104.126.37.170 104.126.37.185 104.126.37.186 104.126.37.171 104.126.37.130 104.126.37.178 104.126.37.139 104.126.37.176 104.126.37.144	whitelisted
login.live.com	20.190.160.17 40.126.32.68 40.126.32.133 40.126.32.76 40.126.32.138 20.190.160.22 40.126.32.134 40.126.32.74	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
keyauth.win	104.26.1.5 172.67.72.57 104.26.0.5	malicious
api.telegram.org	149.154.167.220	shared

Threats

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
2192	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6728	SecurityHealthSystray.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
6728	SecurityHealthSystray.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2192	svchost.exe	Potential Corporate Privacy Violation	ET POLICY DNS Query to a Reverse Proxy Service Observed
2192	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)

Add for printing

No debug info

General Info

/asafzss/XWORM-5.6/raw/refs/heads/main/XWorm%20V5.6.exe

F8A31A0A95B3839A31FD971DBB4633EF

402E3B3FCDE07138AD518057715B8C1FC14F0029

ADD19A9DB4730F41575FB951E9AEC6DCF35D8DB2CB94CBA896667881467E6FD5

12288:rkRXH8xGm7qRFLyX17TpCq8d9Ly6/3gnXiT/aN73JjJZE61XkKRJ9XRhg09j:rkR38xV7IL617Tph8dB1/gnXiTSN75jL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Adds path to the Windows Defender exclusion list

Bypass execution policy to execute commands

Adds process to the Windows Defender exclusion list

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Application launched itself

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Read disk information to detect sandboxing environments

Reads the BIOS version

The process checks if it is being run in the virtual environment

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Script adds exclusion process to Windows Defender

Potential Corporate Privacy Violation

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

The process uses the downloaded file

Process checks computer location settings

Reads the machine GUID from the registry

Create files in a temporary directory

Reads Environment values

Sends debugging messages

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Disables trace logs

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information