General
-
Target
seven.bat
-
Size
13KB
-
Sample
250404-q81g5azrs2
-
MD5
72b37c80ee58d00b5ffa174aabbb0b57
-
SHA1
cf6c0f3bca62c83da4ee34c4929262bad1770ba1
-
SHA256
a32aab9ec5b65cb24c9bec2cef92239ea0d27937123d2569b95530101e1c3459
-
SHA512
63d5a1a2daa676b8079f0da3d062659e661a1228211cbdd5aec4e86713847ee66071c956c34a2b3c20a70613ee9a3275f4e6ae1b3fb958e31f1d0002c27b711e
-
SSDEEP
384:c1ENmEhhmE77EIGujENmEhhmE77EIGD+G2dAI8b/mHT9YT3Q6TbsebaQD4Lforql:8Spb6jDGams
Malware Config
Extracted
xworm
89.23.100.91:7174
-
Install_directory
%ProgramData%
-
install_file
csrss.exe
-
telegram
https://api.telegram.org/bot7044550017:AAG7R8kaIhFKV-CXgKS_6BPleXbgza38o8w
Extracted
gurcu
https://api.telegram.org/bot6338125361:AAEpz2yMO25tDxVh4mOCZ2gjyEu5ZDJz6R4/sendMessag
Targets
-
-
Target
seven.bat
-
Size
13KB
-
MD5
72b37c80ee58d00b5ffa174aabbb0b57
-
SHA1
cf6c0f3bca62c83da4ee34c4929262bad1770ba1
-
SHA256
a32aab9ec5b65cb24c9bec2cef92239ea0d27937123d2569b95530101e1c3459
-
SHA512
63d5a1a2daa676b8079f0da3d062659e661a1228211cbdd5aec4e86713847ee66071c956c34a2b3c20a70613ee9a3275f4e6ae1b3fb958e31f1d0002c27b711e
-
SSDEEP
384:c1ENmEhhmE77EIGujENmEhhmE77EIGD+G2dAI8b/mHT9YT3Q6TbsebaQD4Lforql:8Spb6jDGams
Score10/10-
Detect Xworm Payload
-
Disables service(s)
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
3Service Execution
3Persistence
Create or Modify System Process
6Windows Service
6Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
6Windows Service
6Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify Tools
3Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1