General
-
Target
Solara (3).exe
-
Size
177KB
-
Sample
240527-qdcskseg59
-
MD5
c21aa696c0fda45ce8cd565bd4a15443
-
SHA1
b4ab0eb0c1eadfb6f1a3bd770c0f3e8d87875ec4
-
SHA256
bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db
-
SHA512
5383ee7fef9f174aefb446363d5aedeff3012aad9c022d5b3e1e4cf0d10461a90b4900b9750eae2ce4e72804408d79e80b1a6d73c0807196ea7b4230d7ae95f3
-
SSDEEP
3072:CcQGMkso4ej8SKfbzjcww7es6/VsprL/cjgrL0VYDQCogkOGa8opBm:SatUzcp7elMr4jgPqCoHOoo
Static task
static1
Behavioral task
behavioral1
Sample
Solara (3).exe
Resource
win7-20240215-en
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:10438
-
Install_directory
%AppData%
-
install_file
svhost.exe
Targets
-
-
Target
Solara (3).exe
-
Size
177KB
-
MD5
c21aa696c0fda45ce8cd565bd4a15443
-
SHA1
b4ab0eb0c1eadfb6f1a3bd770c0f3e8d87875ec4
-
SHA256
bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db
-
SHA512
5383ee7fef9f174aefb446363d5aedeff3012aad9c022d5b3e1e4cf0d10461a90b4900b9750eae2ce4e72804408d79e80b1a6d73c0807196ea7b4230d7ae95f3
-
SSDEEP
3072:CcQGMkso4ej8SKfbzjcww7es6/VsprL/cjgrL0VYDQCogkOGa8opBm:SatUzcp7elMr4jgPqCoHOoo
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1