| File name: | PulseX.exe |
| Full analysis: | https://app.any.run/tasks/0dea38a9-96e6-4634-8d94-5caa71d5e855 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | April 03, 2024, 23:09:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5: | 7847221FE552333A9A24E871C21519A5 |
| SHA1: | C1F9EB8C7F3F638D1069C2C83436CB5B7926B8FB |
| SHA256: | F0B9A7054305C7958CBEC07152753D73D18894FCD9A73EBFB60CAB7046FA4C94 |
| SSDEEP: | 1536:fYvK/WtxqYXbTnRsMN5g4t4FU5infxvDssCWtlmpA0yE7V7a5cWJs:O9zKwg4tTOGUGA0yExG5cQs |
MALICIOUS
Drops the executable file immediately after the start
- PulseX.exe (PID: 2420)
- PulseX.exe (PID: 3180)
XWORM has been detected (YARA)
- PulseX.exe (PID: 3180)
Create files in the Startup directory
- PulseX.exe (PID: 3180)
Changes the autorun value in the registry
- PulseX.exe (PID: 3180)
SUSPICIOUS
Reads the Internet Settings
- PulseX.exe (PID: 2420)
- PulseX.exe (PID: 3180)
Reads security settings of Internet Explorer
- PulseX.exe (PID: 2420)
- PulseX.exe (PID: 3180)
Checks for external IP
- PulseX.exe (PID: 3180)
The process creates files with name similar to system file names
- PulseX.exe (PID: 3180)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 3068)
- ApplicationFrameHost.exe (PID: 1900)
Connects to unusual port
- PulseX.exe (PID: 3180)
The process executes via Task Scheduler
- ApplicationFrameHost.exe (PID: 1900)
INFO
Checks supported languages
- PulseX.exe (PID: 2420)
- PulseX.exe (PID: 3180)
- ApplicationFrameHost.exe (PID: 1900)
Reads the computer name
- PulseX.exe (PID: 3180)
- PulseX.exe (PID: 2420)
- ApplicationFrameHost.exe (PID: 1900)
Reads the machine GUID from the registry
- PulseX.exe (PID: 3180)
- ApplicationFrameHost.exe (PID: 1900)
Reads Environment values
- PulseX.exe (PID: 3180)
Creates files or folders in the user directory
- PulseX.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(3180) PulseX.exe
C2frostycheats-63071.portmap.host:63071
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep timeWhat
USB drop nameUSB.exe
MutexC9naxTGKvc0QH9xQ
TRiD
| .exe | | | Win64 Executable (generic) (61.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.6) |
| .exe | | | Win32 Executable (generic) (10) |
| .exe | | | Win16/32 Executable Delphi generic (4.6) |
| .exe | | | Generic Win/DOS Executable (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 1536 |
| InitializedDataSize: | 91648 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1449 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.8.3.8 |
| ProductVersionNumber: | 1.8.3.8 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Unknown (0) |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Reaper |
| FileTitle: | - |
| FileDescription: | Reaper |
| FileVersion: | 1,8,3,8 |
| LegalCopyright: | Reaper |
| LegalTrademark: | - |
| ProductName: | Reaper |
| ProductVersion: | 1,8,3,8 |
Total processes
46
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1900 | C:\Users\Public\ApplicationFrameHost.exe | C:\Users\Public\ApplicationFrameHost.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Version: 1.0.0.0 Modules
| |||||||||||||||
| 2420 | "C:\Users\admin\AppData\Local\Temp\PulseX.exe" | C:\Users\admin\AppData\Local\Temp\PulseX.exe | explorer.exe | ||||||||||||
User: admin Company: Reaper Integrity Level: HIGH Description: Reaper Exit code: 0 Version: 1,8,3,8 Modules
| |||||||||||||||
| 3068 | "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Public\ApplicationFrameHost.exe" | C:\Windows\System32\schtasks.exe | — | PulseX.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3180 | "C:\Windows\PulseX.exe" | C:\Windows\PulseX.exe | PulseX.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 1.0.0.0 Modules
XWorm(PID) Process(3180) PulseX.exe C2frostycheats-63071.portmap.host:63071 Keys AES<123456789> Options Splitter<Xwormmm> Sleep timeWhat USB drop nameUSB.exe MutexC9naxTGKvc0QH9xQ | |||||||||||||||
| 3956 | "C:\Users\admin\AppData\Local\Temp\PulseX.exe" | C:\Users\admin\AppData\Local\Temp\PulseX.exe | — | explorer.exe | |||||||||||
User: admin Company: Reaper Integrity Level: MEDIUM Description: Reaper Exit code: 3221226540 Version: 1,8,3,8 Modules
| |||||||||||||||
Total events
2 821
Read events
2 792
Write events
29
Delete events
0
Modification events
| (PID) Process: | (2420) PulseX.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2420) PulseX.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2420) PulseX.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2420) PulseX.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3180) PulseX.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PulseX_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2420 | PulseX.exe | C:\Windows\PulseX.exe | executable | |
MD5:— | SHA256:— | |||
| 3180 | PulseX.exe | C:\Users\Public\ApplicationFrameHost.exe | executable | |
MD5:— | SHA256:— | |||
| 3180 | PulseX.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3180 | PulseX.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3180 | PulseX.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
3180 | PulseX.exe | 193.161.193.99:63071 | frostycheats-63071.portmap.host | OOO Bitree Networks | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ip-api.com |
| shared |
frostycheats-63071.portmap.host |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3180 | PulseX.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3180 | PulseX.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External Hosting Lookup by ip-api |
3180 | PulseX.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query to a Reverse Proxy Service Observed |
1080 | svchost.exe | Misc activity | ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host) |