Malware Analysis Report

2025-01-03 06:19

Sample ID 241126-xerrfstpbw
Target XWorm 5.6 Edition Cracked.zip
SHA256 52c2a5490cbfa4780940b18d6a288453e9115af91f8c10c4c99dbcf1eeda03e8
Tags
stormkitty xworm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52c2a5490cbfa4780940b18d6a288453e9115af91f8c10c4c99dbcf1eeda03e8

Threat Level: Known bad

The file XWorm 5.6 Edition Cracked.zip was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm

Contains code to disable Windows Defender

Detect Xworm Payload

StormKitty payload

Stormkitty family

Xworm family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-26 18:46

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 21:29

Platform

win10ltsc2021-20241023-en

Max time kernel

486s

Max time network

497s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 21:30

Platform

win10ltsc2021-20241023-en

Max time kernel

529s

Max time network

540s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ActiveWindows.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 21:30

Platform

win10ltsc2021-20241023-en

Max time kernel

568s

Max time network

578s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chat.dll,#1

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

505s

Max time network

516s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HBrowser.dll,#1

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

508s

Max time network

519s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HRDP.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:00

Platform

win10ltsc2021-20241023-en

Max time kernel

500s

Max time network

511s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\MessageBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\MessageBox.dll,#1

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:08

Platform

win10ltsc2021-20241023-en

Max time kernel

567s

Max time network

581s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Options.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Options.dll,#1

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

513s

Max time network

530s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Pastime.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Pastime.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 21:29

Platform

win10ltsc2021-20241023-en

Max time kernel

486s

Max time network

497s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NAudio.dll,#1

Network

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

505s

Max time network

521s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

486s

Max time network

499s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Performance.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Performance.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

547s

Max time network

564s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ransomware.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ransomware.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

496s

Max time network

508s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ReverseProxy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ReverseProxy.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

471s

Max time network

481s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HiddenApps.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HiddenApps.dll,#1

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

520s

Max time network

531s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Maps.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Maps.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 21:31

Platform

win10ltsc2021-20241023-en

Max time kernel

523s

Max time network

533s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chromium.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Chromium.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

489s

Max time network

506s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FilesSearcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FilesSearcher.dll,#1

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:00

Platform

win10ltsc2021-20241023-en

Max time kernel

473s

Max time network

484s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ngrok-Installer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Ngrok-Installer.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:10

Platform

win10ltsc2021-20241023-en

Max time kernel

468s

Max time network

479s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ServiceManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ServiceManager.dll,#1

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:58

Platform

win10ltsc2021-20241023-en

Max time kernel

507s

Max time network

518s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Clipboard.dll,#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:58

Platform

win10ltsc2021-20241023-en

Max time kernel

597s

Max time network

601s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Cmstp-Bypass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

536s

Max time network

547s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Keylogger.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Keylogger.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

495s

Max time network

507s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RunPE.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RunPE.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

593s

Max time network

601s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNCMemory.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

547s

Max time network

560s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Informations.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Informations.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

481s

Max time network

495s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Programs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Programs.dll,#1

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

511s

Max time network

522s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Regedit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Regedit.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:58

Platform

win10ltsc2021-20241023-en

Max time kernel

442s

Max time network

454s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FileManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 22:59

Platform

win10ltsc2021-20241023-en

Max time kernel

478s

Max time network

489s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\HVNC.dll,#1

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:00

Platform

win10ltsc2021-20241023-en

Max time kernel

489s

Max time network

499s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Microphone.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Microphone.dll,#1

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

487s

Max time network

498s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\ProcessManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-26 18:46

Reported

2024-11-26 23:09

Platform

win10ltsc2021-20241023-en

Max time kernel

523s

Max time network

535s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RemoteDesktop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RemoteDesktop.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A