Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

XAXAX.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    162s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/02/2025, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XAXAX.exe

  • Size

    490KB

  • MD5

    0c93a1e7eaf5d44b8b53104773e7bf42

  • SHA1

    45d311fdb1f3009e83908e31b26b384d915e31d7

  • SHA256

    d747cee1f79aba5af6b2e2f160a89a994f8eeb3ee9db4cbddd2ab83ce7dba4fd

  • SHA512

    f8466caa3057168d979aab7189210973f040f0f2653b97b6d89f553164e30eef8b6aca415f56c7e0a45771abb0c6107d35be1f86c55e9c71d4c55a3736bac4b4

  • SSDEEP

    12288:8AFQ2mhH2GnRwLb4YdTuPzcPpuYzGYth8I8wwFFvpuR6UUof:fFQ2WH2KRwoYdTugP1zGU7SMVUof

Score
10/10
gurcuxwormdefense_evasiondiscoveryevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

that-mortgages.gl.at.ply.gg:22887

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7081348414:AAEQqhREW9-Pc1-aeS5a2NxfTFybIlvMOhk/sendMessage?chat_id=6426180826

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7081348414:AAEQqhREW9-Pc1-aeS5a2NxfTFybIlvMOhk/sendMessage?chat_id=6426180826

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence 1 TTPs 6 IoCs

    remove IFEO.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 49 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\XAXAX.exe
    "C:\Users\Admin\AppData\Local\Temp\XAXAX.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\svghost.exe
      "C:\Users\Admin\AppData\Local\Temp\svghost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2328
    • C:\Users\Admin\AppData\Local\Temp\rrrr.exe
      "C:\Users\Admin\AppData\Local\Temp\rrrr.exe"
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • UAC bypass
      • Windows security bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3460
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\rrrr.exe" /rl HIGHEST /f
        3⤵
          PID:3040
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rrrr.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "GoogleUpdateTaskMachineUK"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "GoogleUpdateTaskMachineUK"
            4⤵
              PID:4100
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            3⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2420
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:1648
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3396
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
          1⤵
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1384
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTk2QTg5NTgtQkQyNi00Mjk4LUE1ODktRUEwRUZEREM3REQyfSIgdXNlcmlkPSJ7MTg4NjcxQjMtQUM1NC00MTY0LTk2NUQtQjFGQThGNzUxRDVBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTE0M0ZEMTYtMkY1Ni00MzFFLUFFQkYtQjhBMEE2NkRDMjVCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDU5MiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTYwNDg1MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4MDI3OTU4ODYiLz48L2FwcD48L3JlcXVlc3Q-
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:4592
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          C:\Users\Admin\AppData\Roaming\XClient.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          C:\Users\Admin\AppData\Roaming\XClient.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2676

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        4
        T1562

        Disable or Modify Tools

        4
        T1562.001

        Indicator Removal

        1
        T1070

        Clear Persistence

        1
        T1070.009

        Modify Registry

        8
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        5
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
          Filesize

          654B

          MD5

          2cbbb74b7da1f720b48ed31085cbd5b8

          SHA1

          79caa9a3ea8abe1b9c4326c3633da64a5f724964

          SHA256

          e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

          SHA512

          ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0T9JWXEH\www.bing[1].xml
          Filesize

          328B

          MD5

          e0123e6366e2f50d96b708175215c98a

          SHA1

          4dd2bd3aa86bac9a9af63f2604e21deeb1a234e2

          SHA256

          979c96c557bac85026d574df61c0ac1c9956264e0ef7cd16b8ca99363d795871

          SHA512

          7c9766e22a813199672db6382906a9475fb449c87926e9fbddf9b6b5fc680e1e4637b2cad7986bcfc2e6c6014acff701a8d50ef5777bac11df8c8b1c70796cf6

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0T9JWXEH\www.bing[1].xml
          Filesize

          15KB

          MD5

          8fe61e938d91259b51f3a84439f29fda

          SHA1

          89e639282c0acb152d33310a2cbbfbc2a781b7cf

          SHA256

          e3f9d2b9cd3e46a4b90545394543d43e314888f09a0ea42f8e7e0db08ac61347

          SHA512

          19c9c7173d7a61a5d87981cf40252b8665512448a203a8ecb1c7ee869df23f5f3fee20568b832f26cbf023b0266c475315a0f99903ab6b4063be92d7bbaab861

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cojsxcrb.wrw.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rrrr.exe
          Filesize

          444KB

          MD5

          172c44fb669b09576df194d9104f3a0a

          SHA1

          4fc39629243971d38e90c44694f8cdc20f217e5a

          SHA256

          15e92e2dd5145c7bc4f6582477bd93574ac377aab70db2ea51d714bf43b09b91

          SHA512

          afc30b91f331a0c1309d2b2e620dfa218753f6dd0ebd4a30d28de03fac2e5a63d10c1a1ff1f54f71d660cc61929a751e0f14a1b6e324a8e4db323ee69d5cfdd5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svghost.exe
          Filesize

          58KB

          MD5

          2b02ee09ed976138bdd2401e571abea0

          SHA1

          883f0e4bf5832b5abaa08673d12178ccbe8446e2

          SHA256

          5b63ae414976cb5eb21052a6477a4070a6f4f2f561c40652b88221f0d60b5931

          SHA512

          d2dac264df8c6fc1e7d5df733f71b503cf671d2a434f6b0f60895286994e4220d681b6fe862a16904f3013e50d991d4fc21c4bc998cf68a8e6c059b2f778bfb3

          Download Submit

        • memory/1384-242-0x000001AE303F0000-0x000001AE304F0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1384-231-0x000001B67BE00000-0x000001B67BF00000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1384-88-0x000001B67AD20000-0x000001B67AE20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1384-140-0x000001B67C600000-0x000001B67C700000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1384-139-0x000001B67C010000-0x000001B67C030000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1384-145-0x000001B67C1D0000-0x000001B67C1F0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1808-22-0x0000000000F00000-0x0000000000F14000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1808-39-0x000000001BC80000-0x000000001BC90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-48-0x00007FF88EE63000-0x00007FF88EE65000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1808-353-0x00000000031A0000-0x00000000031AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1808-18-0x00007FF88EE63000-0x00007FF88EE65000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1808-71-0x000000001BC80000-0x000000001BC90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2588-27-0x000001F72C050000-0x000001F72C072000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3460-25-0x0000000000400000-0x0000000000597000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3460-60-0x0000000000400000-0x0000000000597000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3460-54-0x0000000000593000-0x0000000000594000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-49-0x0000000000400000-0x0000000000597000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3460-23-0x0000000000400000-0x0000000000597000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3460-24-0x0000000000593000-0x0000000000594000-memory.dmp

          Filesize

          4KB

          Download