Malware Analysis Report

2025-01-03 06:21

Sample ID 241126-wfxhnasjg1
Target XWorm 5.6 Edition Cracked.zip
SHA256 52c2a5490cbfa4780940b18d6a288453e9115af91f8c10c4c99dbcf1eeda03e8
Tags
stormkitty xworm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52c2a5490cbfa4780940b18d6a288453e9115af91f8c10c4c99dbcf1eeda03e8

Threat Level: Known bad

The file XWorm 5.6 Edition Cracked.zip was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm

Contains code to disable Windows Defender

Detect Xworm Payload

StormKitty payload

Stormkitty family

Xworm family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-26 17:52

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:50

Platform

win10v2004-20241007-en

Max time kernel

1158s

Max time network

1162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Regedit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Regedit.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:30

Platform

win10v2004-20241007-en

Max time kernel

1160s

Max time network

1164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FilesSearcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FilesSearcher.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:34

Platform

win10v2004-20241007-en

Max time kernel

1136s

Max time network

1139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HiddenApps.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HiddenApps.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:34

Platform

win10v2004-20241007-en

Max time kernel

1120s

Max time network

1152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Informations.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Informations.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:35

Platform

win10v2004-20241007-en

Max time kernel

1157s

Max time network

1167s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Maps.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Maps.dll,#1

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:39

Platform

win10v2004-20241007-en

Max time kernel

1144s

Max time network

1149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ProcessManager.dll,#1

Network

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:44

Platform

win10v2004-20241007-en

Max time kernel

1170s

Max time network

1181s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:19

Platform

win10v2004-20241007-en

Max time kernel

1157s

Max time network

1160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:39

Platform

win10v2004-20241007-en

Max time kernel

1178s

Max time network

1188s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Programs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Programs.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:50

Platform

win10v2004-20241007-en

Max time kernel

1151s

Max time network

1153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ReverseProxy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ReverseProxy.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:20

Platform

win10v2004-20241007-en

Max time kernel

1148s

Max time network

1150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:21

Platform

win10v2004-20241007-en

Max time kernel

1135s

Max time network

1138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:30

Platform

win10v2004-20241007-en

Max time kernel

1054s

Max time network

1157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:31

Platform

win10v2004-20241007-en

Max time kernel

1142s

Max time network

1144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:30

Platform

win10v2004-20241007-en

Max time kernel

1114s

Max time network

1159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:30

Platform

win10v2004-20241007-en

Max time kernel

1184s

Max time network

1194s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:32

Platform

win10v2004-20241007-en

Max time kernel

1187s

Max time network

1198s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:34

Platform

win10v2004-20241007-en

Max time kernel

1157s

Max time network

1160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Keylogger.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Keylogger.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:35

Platform

win10v2004-20241007-en

Max time kernel

1146s

Max time network

1149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\MessageBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\MessageBox.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:14

Platform

win10v2004-20241007-en

Max time kernel

1151s

Max time network

1155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:31

Platform

win10v2004-20241007-en

Max time kernel

1149s

Max time network

1151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:23

Platform

win10v2004-20241007-en

Max time kernel

1156s

Max time network

1158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chromium.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chromium.dll,#1

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:28

Platform

win10v2004-20241007-en

Max time kernel

1141s

Max time network

1144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:43

Platform

win10v2004-20241007-en

Max time kernel

1154s

Max time network

1158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ransomware.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ransomware.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:50

Platform

win10v2004-20241007-en

Max time kernel

1180s

Max time network

1193s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RemoteDesktop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RemoteDesktop.dll,#1

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:51

Platform

win10v2004-20241007-en

Max time kernel

1145s

Max time network

1148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RunPE.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RunPE.dll,#1

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:35

Platform

win10v2004-20241007-en

Max time kernel

1146s

Max time network

1159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ngrok-Installer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ngrok-Installer.dll,#1

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:37

Platform

win10v2004-20241007-en

Max time kernel

1190s

Max time network

1201s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Pastime.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Pastime.dll,#1

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:51

Platform

win10v2004-20241007-en

Max time kernel

1151s

Max time network

1153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ServiceManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ServiceManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:35

Platform

win10v2004-20241007-en

Max time kernel

1154s

Max time network

1157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Microphone.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Microphone.dll,#1

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:35

Platform

win10v2004-20241007-en

Max time kernel

1147s

Max time network

1149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Options.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Options.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-26 17:52

Reported

2024-11-27 01:38

Platform

win10v2004-20241007-en

Max time kernel

1022s

Max time network

1162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Performance.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Performance.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A