Malware Analysis Report

2024-11-16 13:32

Sample ID 240527-qdcskseg59
Target Solara (3).exe
SHA256 bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db
Tags
xworm execution persistence rat trojan bootkit evasion upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcab6d0e54773eafbab6e17eec93f095e58f6515560dc06a120045ddc07896db

Threat Level: Known bad

The file Solara (3).exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan bootkit evasion upx

UAC bypass

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Sets file execution options in registry

Executes dropped EXE

Drops startup file

Checks computer location settings

UPX packed file

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 13:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 13:08

Reported

2024-05-27 13:10

Platform

win7-20240215-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara (3).exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1680 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\XWorm.exe
PID 1680 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\XWorm.exe
PID 1680 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\XWorm.exe
PID 2620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\schtasks.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\schtasks.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\schtasks.exe
PID 1872 wrote to memory of 2204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1872 wrote to memory of 2204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1872 wrote to memory of 2204 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1872 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1872 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1872 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara (3).exe

"C:\Users\Admin\AppData\Local\Temp\Solara (3).exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3742237D-CE6C-46C1-8AF3-D4FD1AF25675} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:10438 0.tcp.eu.ngrok.io tcp

Files

memory/1680-0-0x000007FEF5A43000-0x000007FEF5A44000-memory.dmp

memory/1680-1-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

memory/1680-4-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

MD5 b1534015cbe713e13efc7d016219ad61
SHA1 132526e2727cc3ada220c2ece52d5f6e59cc7ca6
SHA256 31800ebdfe2ec7b3847c064281aeaec2586cd8e76d88e662364dcee4c5ee45b3
SHA512 6422eba622c571fd12de0f3b0cb54b8ba3d3adf804302023b53b9363adb13518f9aa9b4828dd1435d994390a6b7a1f8123dc06d2a44f22a2e12b79e579da00d0

memory/2620-13-0x0000000001070000-0x00000000010B4000-memory.dmp

memory/2620-15-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

memory/1680-16-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

memory/2904-17-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

memory/2836-22-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2836-23-0x0000000001D90000-0x0000000001D98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JW2P62E9RTKF7I8VC899.temp

MD5 4821c7936786477c1cf2138488ef6b36
SHA1 489e853a8c348cf80d18970a539cd2c85e001e41
SHA256 f46828ccc2e848b2fd034116a417179ac4060ce20d5a1fb94d2d7ae04724a367
SHA512 831ead6535652e04bc59d176028e2104179b27bc0b432f46c5ce3ee79fb9389e91a566e19c2be06a09f6bbeb0bc4f6648dac312c2726c5114c31e1d7f1696cc5

memory/1048-29-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

memory/1048-30-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2620-47-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

memory/2204-51-0x0000000000FC0000-0x0000000001004000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 13:08

Reported

2024-05-27 13:10

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara (3).exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Xworm

trojan rat xworm

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifnnld.exe" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifnnld.exe" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara (3).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifnnld.exe" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3076 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3076 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3076 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\XWorm.exe
PID 3076 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\Solara (3).exe C:\Users\Admin\AppData\Local\Temp\XWorm.exe
PID 1284 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\schtasks.exe
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Windows\System32\schtasks.exe
PID 1284 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Users\Admin\AppData\Local\Temp\ifnnld.exe
PID 1284 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Users\Admin\AppData\Local\Temp\ifnnld.exe
PID 1284 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XWorm.exe C:\Users\Admin\AppData\Local\Temp\ifnnld.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" C:\Users\Admin\AppData\Local\Temp\ifnnld.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara (3).exe

"C:\Users\Admin\AppData\Local\Temp\Solara (3).exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\ifnnld.exe

"C:\Users\Admin\AppData\Local\Temp\ifnnld.exe"

C:\Users\Admin\AppData\Local\Temp\ifnnld.exe

C:\Users\Admin\AppData\Local\Temp\ifnnld.exe explorer.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:10438 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.142.124.3.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/3076-0-0x0000000000EE0000-0x0000000000F12000-memory.dmp

memory/3076-1-0x00007FFC4B003000-0x00007FFC4B005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

memory/3076-10-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

MD5 b1534015cbe713e13efc7d016219ad61
SHA1 132526e2727cc3ada220c2ece52d5f6e59cc7ca6
SHA256 31800ebdfe2ec7b3847c064281aeaec2586cd8e76d88e662364dcee4c5ee45b3
SHA512 6422eba622c571fd12de0f3b0cb54b8ba3d3adf804302023b53b9363adb13518f9aa9b4828dd1435d994390a6b7a1f8123dc06d2a44f22a2e12b79e579da00d0

memory/1284-25-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

memory/1284-28-0x00000000002D0000-0x0000000000314000-memory.dmp

memory/3076-27-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

memory/4636-30-0x0000000000160000-0x000000000016A000-memory.dmp

memory/4636-29-0x000000007531E000-0x000000007531F000-memory.dmp

memory/4636-31-0x00000000023A0000-0x00000000023AA000-memory.dmp

memory/4636-33-0x0000000005500000-0x0000000005512000-memory.dmp

memory/1284-70-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

MD5 d0104f79f0b4f03bbcd3b287fa04cf8c
SHA1 54f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512 daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

MD5 c2ab942102236f987048d0d84d73d960
SHA1 95462172699187ac02eaec6074024b26e6d71cff
SHA256 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512 e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

MD5 c28b0fe9be6e306cc2ad30fe00e3db10
SHA1 af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA256 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512 e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

memory/4920-955-0x00000182FFEE0000-0x00000182FFF02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swxnkvsl.h3q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

MD5 13babc4f212ce635d68da544339c962b
SHA1 4881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256 bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA512 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bc110200117a3752313ca2acaf8a9e1
SHA1 fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256 c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA512 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

memory/1284-1538-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

memory/1284-1539-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ifnnld.exe

MD5 9adbea80ed3e5ac0877eb81ac6450d6b
SHA1 067de4b5df6fd064b1fa5d4506de582037b800d7
SHA256 9f088f09889692a06176433c3cdf8d46c65c2e3d3f44cc04ffc90b0a5c15960d
SHA512 197111ef2e5b342ee5e50261ee7b60c09047470e6b2122f0587ebd271e523cf0bf8490b18db4ea26750aadd51d8a913d702ecd109ba467eb61ecb7cd45f5a60d

memory/3688-1548-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/1920-1551-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/1920-1554-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1574-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1599-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1600-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1622-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1641-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1660-0x0000000000400000-0x00000000006D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3688-1687-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1708-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1727-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1746-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1771-0x0000000000400000-0x00000000006D8000-memory.dmp

memory/3688-1792-0x0000000000400000-0x00000000006D8000-memory.dmp