Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

READ ME BE...xt.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    READ ME BEFOR OPEN.txt.exe

  • Size

    84KB

  • Sample

    250320-xe2awswzdt

  • MD5

    5f8d77b4baf223ecde7556b0c1f63c89

  • SHA1

    176ca0ebec13e5d80ce348204532612744735107

  • SHA256

    159c1154b8553b15f7feebbb129b1a69ce1f24dea85e2837ad84160e1ce6dc5c

  • SHA512

    befa25607d25902859dbb339e69d64d89e98264c88e848f2ed2b5c20aa7865b0e05658d4299deeb1aa9e79f3e58c2df61becb53285f857c0dc7a93091f864549

  • SSDEEP

    1536:HEe2sHTvN2b4p98BcYCXSg0qMl3nRgt5P7ZJUqAA/WkywGKwkvOWkVqkl:72W0n4lEl3RE5veV2W3

Score
10/10
gurcuxwormdefense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationransomwareratstealertrojan

Malware Config

Extracted

Family

xworm

C2

looking-brings.gl.at.ply.gg:65381

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y/sendMessage?chat_id=1002422094535

Targets

    • Target

      READ ME BEFOR OPEN.txt.exe

    • Size

      84KB

    • MD5

      5f8d77b4baf223ecde7556b0c1f63c89

    • SHA1

      176ca0ebec13e5d80ce348204532612744735107

    • SHA256

      159c1154b8553b15f7feebbb129b1a69ce1f24dea85e2837ad84160e1ce6dc5c

    • SHA512

      befa25607d25902859dbb339e69d64d89e98264c88e848f2ed2b5c20aa7865b0e05658d4299deeb1aa9e79f3e58c2df61becb53285f857c0dc7a93091f864549

    • SSDEEP

      1536:HEe2sHTvN2b4p98BcYCXSg0qMl3nRgt5P7ZJUqAA/WkywGKwkvOWkVqkl:72W0n4lEl3RE5veV2W3

    Score
    10/10
    gurcuxwormdefense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationransomwareratstealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Disables service(s)

      defense_evasionexecution

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies security service

      defense_evasion

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables RegEdit via registry modification

      defense_evasion

    • Disables Task Manager via registry modification

      defense_evasion

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Windows Firewall

      defense_evasion

    • Possible privilege escalation attempt

      exploit

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Service Stop

2
T1489

Tasks