File name:	SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe
Full analysis:	https://app.any.run/tasks/33f805b7-d3f8-42da-942d-aa5e3c8c3733
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	May 21, 2024, 15:52:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	xworm remote
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	78BD2BD5C0E94FA766E367A168BB4533
SHA1:	D7EA5BCA4E50E39C6DCA8C7B6831D7600C3CE2BB
SHA256:	B542502918E537ABFF66105F9432F29E6D8BA7D4169B7D2894DD9ED3261E0141
SSDEEP:	49152:NPOx1+XlMr4nuSIiE2oMKRDqBOaLVHZ5jXK3oGQsj/7:1OUlvw95q0w5Z1XK4Gpj/7

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:05:19 13:25:30+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.38
CodeSize:	655872
InitializedDataSize:	134656
UninitializedDataSize:	-
EntryPoint:	0x45388
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	9.17.361.99
ProductVersionNumber:	1.96.54.52
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	aOuoooUM
FileVersion:	9.17.361.99
InternalName:	ieIhAqi.exe
OriginalFileName:	APiBuJa.exe
ProductName:	ESeCo
ProductVersion:	1.96.54.52


(PID) Process:	(6240) SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
Operation:	write	Name:	Enabled
Value: 0
(PID) Process:	(6240) SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6240) SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6240) SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6240) SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
6764	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8d80d499fbbd61c5c03d62809be5bb86c3cc23e_10244e01_6d7971bc-0347-4e58-ab69-fb1efd114f30\Report.wer		—
		MD5:—	SHA256:—
6764	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe.6240.dmp		—
		MD5:—	SHA256:—
6544	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:FDDD93076E38FDB4E0F37C64B97EF26E	SHA256:9AD50B91C8652B6AB3857B64FC186E98AAEA8CAFD60ACFC0F3999EC3CDA848F4
6764	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F47.tmp.WERInternalMetadata.xml		xml
		MD5:4994BC2B137265846A71D33361E8F565	SHA256:FBC2F47FBEC7437D3854734ADB4F0DCEA2DA44DE31F3CFB9EA501BA2B4972CC1
6544	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_512oq54a.mgt.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6544	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hgliz2sc.ma4.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6764	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E6B.tmp.dmp		dmp
		MD5:ECB2F2DDC5F86EA3B1417E87CE139A90	SHA256:13A895D044287FCCC93DADE77617F7C1D57C36FF52FED0359F4485AFAB4D17D1
6764	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F57.tmp.xml		xml
		MD5:D986EA3FC00BF1A9F3C671C1A89517DC	SHA256:16BF1B70234BF0C76E4F96DE7312006E2B35BD23A2672AF53F9FA06FBC81C878
5060	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-21.1554.5060.1.aodl		binary
		MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3	SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
5060	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-21.1554.5060.1.odl		binary
		MD5:114FE76D526771D5CFF0487E2706D365	SHA256:15FB23A869D8BC2490600C3B82B208A30EDBEE6293D556011A385A2946AE2666

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5140	MoUsoCoreWorker.exe	GET	200	2.16.164.98:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
4312	RUXIMICS.exe	GET	200	2.16.164.98:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
5612	svchost.exe	GET	200	2.16.164.98:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
4312	RUXIMICS.exe	GET	200	23.211.9.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
5140	MoUsoCoreWorker.exe	GET	200	23.211.9.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
5612	svchost.exe	GET	200	23.211.9.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
—	—	POST	204	92.123.128.168:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
2908	OfficeClickToRun.exe	POST	200	52.178.17.235:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
5612	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4312	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	239.255.255.250:1900	—	—	—	unknown
4312	RUXIMICS.exe	2.16.164.98:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5140	MoUsoCoreWorker.exe	2.16.164.98:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5612	svchost.exe	2.16.164.98:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
4312	RUXIMICS.exe	23.211.9.92:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5612	svchost.exe	23.211.9.92:80	www.microsoft.com	AKAMAI-AS	DE	unknown

Domain	IP	Reputation
crl.microsoft.com	2.16.164.98 2.16.164.97 2.16.164.89 2.16.164.114 2.16.164.122 2.16.164.24 2.16.164.99 2.16.164.107 2.16.164.17	unknown
www.microsoft.com	23.211.9.92	unknown
settings-win.data.microsoft.com	40.127.240.158	unknown
watson.events.data.microsoft.com	20.42.65.92	unknown
self.events.data.microsoft.com	20.42.65.94	unknown

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 9
—	—	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe

78BD2BD5C0E94FA766E367A168BB4533

D7EA5BCA4E50E39C6DCA8C7B6831D7600C3CE2BB

B542502918E537ABFF66105F9432F29E6D8BA7D4169B7D2894DD9ED3261E0141

49152:NPOx1+XlMr4nuSIiE2oMKRDqBOaLVHZ5jXK3oGQsj/7:1OUlvw95q0w5Z1XK4Gpj/7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Adds path to the Windows Defender exclusion list

XWORM has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Executes application which crashes

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Script raised an exception (POWERSHELL)

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings