Overview

overview

10

Static

static

10

Solara v2.exe

windows7-x64

10

Solara v2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara v2.exe

  • Size

    230KB

  • MD5

    2c97e31fdc209f1ae51f1dc93a7993a7

  • SHA1

    fc6214f6e91809aaf29fa39cc6a0ebd09fa35909

  • SHA256

    eed43c12866f5d2d70382ccd10a07670e4b935885a3dbf375da38b8924339b0d

  • SHA512

    17d0b2244ceeb9d0d7cc75529a071bf4208b8b8b7d77d69f4639e5f2c2c8e66f81fc5a49689741caae9967a23877e0841f4aeb139471bd46f5ba95cdb9b6a415

  • SSDEEP

    3072:H/FnmqDWX+bSdKsmCOEtrH8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9Nz8:nDWub5kUhcX7elbKTua9bfF/H9d9n

Score
10/10
modiloaderxwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

takes-stewart.gl.at.ply.gg:61176

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ModiLoader First Stage 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara v2.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara v2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara v2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2440
    • C:\Users\Admin\AppData\Local\Temp\xtuutz.exe
      "C:\Users\Admin\AppData\Local\Temp\xtuutz.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xtuutz.exe
    Filesize

    359KB

    MD5

    b65fc413c4af96d84822e39ce969942a

    SHA1

    eaa176253f3b91ef6094221403362c8c51dff572

    SHA256

    dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c

    SHA512

    3e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVI0CVLBLNC95ELJKEN4.temp
    Filesize

    7KB

    MD5

    dc9fe73a86e0f0e02d033a1db838a4e7

    SHA1

    861fae2baf53110f273173cfd25f08d4949a87e2

    SHA256

    d2f422232bd083626e781c38be98338dad87b497609b5d3907b172986c3d1d9c

    SHA512

    834d85c933b64a13e3f78f3cf56119508f75bb57e0d0aae6c4ce7842f7b88e58c0c114b80220093932a9a7f71381f2962435fc4a1d20a9f27b8471c9e3e553f3

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/1032-6-0x0000000002C10000-0x0000000002C90000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1032-7-0x000000001B620000-0x000000001B902000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1032-8-0x0000000002790000-0x0000000002798000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1416-38-0x0000000000400000-0x00000000004EC000-memory.dmp
    Filesize

    944KB

    Download
  • memory/1416-37-0x0000000000400000-0x00000000004EC000-memory.dmp
    Filesize

    944KB

    Download
  • memory/2172-28-0x0000000000FB0000-0x0000000001030000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2172-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-29-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-1-0x00000000011D0000-0x000000000120E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2172-78-0x0000000000FB0000-0x0000000001030000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2556-15-0x00000000026E0000-0x00000000026E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2556-14-0x000000001B560000-0x000000001B842000-memory.dmp
    Filesize

    2.9MB

    Download