Analysis Overview
SHA256
c03c2ec5ef0958a61a913e2bfb80a420a030f579858cc203b3d2bc3b938400cd
Threat Level: Known bad
The file XWorm.rar was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
StormKitty payload
Stormkitty family
Obfuscated with Agile.Net obfuscator
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-29 10:12
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
91s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.dll",#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Chat.dll",#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Maps.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Ngrok-Disk.dll",#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Rocks.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileManager.dll",#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ProcessManager.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
91s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.ILHelpers.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
88s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Informations.dll",#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
88s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\MessageBox.dll",#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Utils.dll",#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Keylogger.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
89s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Programs.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Iced.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Backports.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
92s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Core.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\All-In-One.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileSeacher.dll",#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Performance.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Pdb.dll",#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Clipboard.dll",#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNC.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
88s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Pastime.dll",#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Newtonsoft.Json.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ActiveWindows.dll",#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Cmstp-Bypass.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Options.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
90s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\NAudio.dll",#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HRDP.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 199.232.214.172:80 | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
89s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNCMemory.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:17
Platform
win11-20241007-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Microphone.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 10:11
Reported
2024-11-29 10:15
Platform
win11-20241007-en
Max time kernel
17s
Max time network
21s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Mdb.dll",#1
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.134.3:443 | tcp | |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 95.100.195.146:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.195.100.95.in-addr.arpa | udp |