Malware Analysis Report

2024-11-16 13:38

Sample ID 240530-kmgv1acb7s
Target E4ExecutorBootstrapper.exe
SHA256 1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6
Tags
xworm execution persistence rat trojan evasion themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6

Threat Level: Known bad

The file E4ExecutorBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan evasion themida

Detect Xworm Payload

Xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Drops startup file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 08:42

Reported

2024-05-30 08:45

Platform

win7-20240508-en

Max time kernel

134s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 3020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 2156 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe
PID 2156 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe
PID 2156 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe
PID 2156 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe
PID 2156 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe
PID 2156 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RegAsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegAsm" /tr "C:\Users\Admin\AppData\Roaming\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FC942592-7FE0-428E-B62E-EE0AF074899A} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:1604 tcp
CA 174.117.48.242:1604 tcp
CA 174.117.48.242:1604 tcp
CA 174.117.48.242:1604 tcp
CA 174.117.48.242:1604 tcp
CA 174.117.48.242:1604 tcp

Files

memory/2848-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

memory/2848-1-0x0000000000E90000-0x0000000000EAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

MD5 636b936e551810ab75a0d61823022ba5
SHA1 51e21f6b31c100e23775ee79c62d1cef647254a3
SHA256 25eb1748779ecbf5eb625c12885fefd0db9ff9fc80def38b2a7294bfec617443
SHA512 87cc134a1fd2f284f2d8626dacef6acc719fe0fd8e26bf87ec961f3f1c54d939a22bc64d9bf80ba022ca45d369339b92470240513f0f425db70fe44d2e916329

memory/3020-10-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

memory/3020-15-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/2988-14-0x00000000011C0000-0x00000000011CA000-memory.dmp

memory/2652-20-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2652-21-0x0000000001D70000-0x0000000001D78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ceaa66e99fb8a73de8f12cec4c751612
SHA1 3b3f5c8dbb99cf7deb3ef26d06b3866f6abfe50c
SHA256 056b89268d9d5b096a4d5461a46eefb9e729859d0decb416c76bc45d6e95ce9d
SHA512 224fd237cfd8774e57029e34b233e2ef6f099a9f9eebc22cd1241352ba26d7f533a07c2f186cf57fefe2eef8889b675144dc532ba4b29b92d518de96acf182e0

memory/2580-27-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/2580-28-0x0000000001E80000-0x0000000001E88000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3020-44-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/3020-45-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/3020-46-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/2240-51-0x0000000000880000-0x0000000000898000-memory.dmp

memory/1324-53-0x0000000000FF0000-0x0000000001008000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 08:42

Reported

2024-05-30 08:45

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 1636 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 1636 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 1636 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 1636 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 772 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 1000 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 772 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 772 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RegAsm.exe'

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegAsm" /tr "C:\Users\Admin\AppData\Roaming\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 127.0.0.1:59197 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
CA 174.117.48.242:1604 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
CA 174.117.48.242:1604 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
CA 174.117.48.242:1604 tcp
N/A 127.0.0.1:1604 tcp
CA 174.117.48.242:1604 tcp

Files

memory/1636-0-0x00007FF9036E3000-0x00007FF9036E5000-memory.dmp

memory/1636-1-0x0000000000970000-0x000000000098E000-memory.dmp

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

MD5 636b936e551810ab75a0d61823022ba5
SHA1 51e21f6b31c100e23775ee79c62d1cef647254a3
SHA256 25eb1748779ecbf5eb625c12885fefd0db9ff9fc80def38b2a7294bfec617443
SHA512 87cc134a1fd2f284f2d8626dacef6acc719fe0fd8e26bf87ec961f3f1c54d939a22bc64d9bf80ba022ca45d369339b92470240513f0f425db70fe44d2e916329

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

memory/772-21-0x00000000002F0000-0x0000000000308000-memory.dmp

memory/772-25-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

memory/1000-27-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/1000-28-0x00000000000D0000-0x00000000000DA000-memory.dmp

memory/1000-29-0x00000000024A0000-0x00000000024AA000-memory.dmp

memory/1000-31-0x00000000055B0000-0x00000000055C2000-memory.dmp

memory/5100-99-0x000002A384490000-0x000002A3844B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpb2dxtj.bv1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

MD5 d0104f79f0b4f03bbcd3b287fa04cf8c
SHA1 54f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512 daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

MD5 c2ab942102236f987048d0d84d73d960
SHA1 95462172699187ac02eaec6074024b26e6d71cff
SHA256 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512 e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

MD5 c28b0fe9be6e306cc2ad30fe00e3db10
SHA1 af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA256 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512 e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

MD5 13babc4f212ce635d68da544339c962b
SHA1 4881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256 bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA512 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1db603eb97fe7f53cec494c6bda708fa
SHA1 62eae65be71e756be720c83d846a0ec6cc4a7da6
SHA256 b1381bb40f4d49928f025366439d38f18a0683ee0e100a5fc38ad22639bfdf4c
SHA512 13d8cfc5eacc9e7ad5761614472dc7d1d1108be3dd2e1a036ec2d64be35b44480365a040c506bbf5a3b93cfdb3a25a7b9376f6771dd79d0d8eeea8abe98a98b4

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

MD5 f8f4522d11178a26e97e2046f249dfa7
SHA1 8b591d9a37716e235260fb6b3f601e4ccbebf15d
SHA256 3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0
SHA512 52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

memory/1480-1531-0x0000017065190000-0x00000170651AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

MD5 aead90ab96e2853f59be27c4ec1e4853
SHA1 43cdedde26488d3209e17efff9a51e1f944eb35f
SHA256 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512 f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

memory/1480-1544-0x000001707FBD0000-0x000001708010C000-memory.dmp

memory/1480-1545-0x000001707F940000-0x000001707F9FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

MD5 851fee9a41856b588847cf8272645f58
SHA1 ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA256 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512 cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

memory/1480-1547-0x000001707FA00000-0x000001707FA7E000-memory.dmp

memory/1480-1549-0x00000170655B0000-0x00000170655BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

MD5 34ec990ed346ec6a4f14841b12280c20
SHA1 6587164274a1ae7f47bdb9d71d066b83241576f0
SHA256 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512 b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

MD5 a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1 dd109ac34beb8289030e4ec0a026297b793f64a3
SHA256 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA512 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

memory/772-1557-0x000000001AF60000-0x000000001AF70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

MD5 e31f5136d91bad0fcbce053aac798a30
SHA1 ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256 ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512 a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

MD5 8516475948d5cc69f60965d650b85a00
SHA1 c9558af61af110cec85c6477f4d5872acc9d40c0
SHA256 5037e6c632f221686441ac6fe141a5812c8557588baafc5966b748805dc6944a
SHA512 16b8b01473cb7600a64c51a51905e3a3d12408a251186b97c22698e3d9c051f46d3735db4fb7fe9040f00c55d2767be5b2c609bb0dfa8b63b1ef5d5aa20f2876

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

MD5 75365924730b0b2c1a6ee9028ef07685
SHA1 a10687c37deb2ce5422140b541a64ac15534250f
SHA256 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512 c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll

MD5 7a2b8cfcd543f6e4ebca43162b67d610
SHA1 c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA256 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512 e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

memory/1480-1566-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/1480-1567-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/1480-1568-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/1480-1569-0x0000000180000000-0x0000000180C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

MD5 c6d43bdf391692d3063c6b9bb0a49dfe
SHA1 a9d2a0398ef10ea344ae9b4773f7377d3f408ec6
SHA256 6e26fdea2c684f731dcb249ff4a7ac904e106d0d1b104e11228ff3ffe522c387
SHA512 b8d41162d5f309367dda05bfdd144489b09d105cae9ab0d64f34ab0733ed3fe6b4d17214cd62d3af1a75ebf1585f45a872bf1f55e289200cd6e923a5b4b4b722

memory/1480-1571-0x000001707F8B0000-0x000001707F8B8000-memory.dmp

memory/1480-1573-0x000001707F8C0000-0x000001707F8CE000-memory.dmp

memory/1480-1572-0x000001707F900000-0x000001707F938000-memory.dmp

memory/1480-1575-0x00007FF900920000-0x00007FF900944000-memory.dmp

memory/1480-1574-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/772-1576-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

memory/772-1579-0x000000001AF60000-0x000000001AF70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegAsm.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1480-1606-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/1480-1608-0x0000000180000000-0x0000000180C32000-memory.dmp