General

  • Target

    Solara (3).exe

  • Size

    177KB

  • Sample

    240527-qdcskseg59

  • MD5

    c21aa696c0fda45ce8cd565bd4a15443

  • SHA1

    b4ab0eb0c1eadfb6f1a3bd770c0f3e8d87875ec4

  • SHA256

    bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db

  • SHA512

    5383ee7fef9f174aefb446363d5aedeff3012aad9c022d5b3e1e4cf0d10461a90b4900b9750eae2ce4e72804408d79e80b1a6d73c0807196ea7b4230d7ae95f3

  • SSDEEP

    3072:CcQGMkso4ej8SKfbzjcww7es6/VsprL/cjgrL0VYDQCogkOGa8opBm:SatUzcp7elMr4jgPqCoHOoo

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:10438

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Targets

    • Target

      Solara (3).exe

    • Size

      177KB

    • MD5

      c21aa696c0fda45ce8cd565bd4a15443

    • SHA1

      b4ab0eb0c1eadfb6f1a3bd770c0f3e8d87875ec4

    • SHA256

      bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db

    • SHA512

      5383ee7fef9f174aefb446363d5aedeff3012aad9c022d5b3e1e4cf0d10461a90b4900b9750eae2ce4e72804408d79e80b1a6d73c0807196ea7b4230d7ae95f3

    • SSDEEP

      3072:CcQGMkso4ej8SKfbzjcww7es6/VsprL/cjgrL0VYDQCogkOGa8opBm:SatUzcp7elMr4jgPqCoHOoo

    • Detect Xworm Payload

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks