File name:

cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee

Full analysis: https://app.any.run/tasks/b68156cb-df82-48db-88b8-2b853ea55d19
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Analysis date: January 11, 2025, 00:10:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

FB3B28A74FC931A89ACB88AFFA85AC8F

SHA1:

0C3BCF811112241312EC1298FA11A86B58F5B351

SHA256:

CACD71018BABC4F0E7E0676FEEA914EC61E37216487A567A1E94D9F518CF40EE

SSDEEP:

24576:ya5FJMVq4k+VfUqBgyeC9PdLbDYDetRxjMK01r0Vvj9EH+/zmT/nhtlXk9jQ9Wlj:ya5FJMVq4kIfUqBgyeC9PdLbDYDetRxF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
    • Create files in the Startup directory

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • XWORM has been detected (YARA)

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Reads security settings of Internet Explorer

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
    • Application launched itself

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
    • Found regular expressions for crypto-addresses (YARA)

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Connects to unusual port

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
  • INFO

    • Creates files or folders in the user directory

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Reads the machine GUID from the registry

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Reads the computer name

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Checks supported languages

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6220)
    • Create files in a temporary directory

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
    • Process checks computer location settings

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
    • The process uses the downloaded file

      • cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe (PID: 6304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6220) cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
C2154.39.0.150:5200
Keys
AES1987
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexTta9Wy8kD7xwtsRU
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

AssemblyVersion: 1.0.2.2
ProductVersion: 1.0.2.2
OriginalFileName: dxDF.exe
LegalCopyright:
InternalName: dxDF.exe
FileVersion: 1.0.2.2
FileDescription: LibertyReserve
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.2.2
FileVersionNumber: 1.0.2.2
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xac7a2
UninitializedDataSize: -
InitializedDataSize: 101376
CodeSize: 698368
LinkerVersion: 48
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:17 15:13:10+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe schtasks.exe no specs conhost.exe no specs #XWORM cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe

Process information

PID
CMD
Path
Indicators
Parent process
6304"C:\Users\admin\AppData\Local\Temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe" C:\Users\admin\AppData\Local\Temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LibertyReserve
Exit code:
0
Version:
1.0.2.2
Modules
Images
c:\users\admin\appdata\local\temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7116"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\admin\AppData\Local\Temp\tmp97FD.tmp"C:\Windows\SysWOW64\schtasks.execacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6220"C:\Users\admin\AppData\Local\Temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe"C:\Users\admin\AppData\Local\Temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LibertyReserve
Version:
1.0.2.2
Modules
Images
c:\users\admin\appdata\local\temp\cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
XWorm
(PID) Process(6220) cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
C2154.39.0.150:5200
Keys
AES1987
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexTta9Wy8kD7xwtsRU
Total events
885
Read events
885
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6304cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exeC:\Users\admin\AppData\Roaming\VfcnvkK.exeexecutable
MD5:FB3B28A74FC931A89ACB88AFFA85AC8F
SHA256:CACD71018BABC4F0E7E0676FEEA914EC61E37216487A567A1E94D9F518CF40EE
6220cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exeC:\Users\admin\AppData\Roaming\Notepab.exeexecutable
MD5:FB3B28A74FC931A89ACB88AFFA85AC8F
SHA256:CACD71018BABC4F0E7E0676FEEA914EC61E37216487A567A1E94D9F518CF40EE
6304cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exeC:\Users\admin\AppData\Local\Temp\tmp97FD.tmpxml
MD5:2F65FBAF1D19FDA3DB27494D7E18800D
SHA256:5D94C99E36F127DCBD6A613A387C6E5B54DD3CE1236A589C4CAE3F1517394095
6220cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkbinary
MD5:08BE002B7146BF8FBE297303C506F750
SHA256:F8B1F412F9D5E3D01F177CB2396DC244BC1968FFF9BC4B80BDC2EFBE2A62B401
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
83
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6744
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4328
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4328
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4328
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1476
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4328
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4328
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4328
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.71
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info