Analysis
-
max time kernel
118s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 17:42
Behavioral task
behavioral1
Sample
Solara v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Solara v2.exe
Resource
win10v2004-20240508-en
General
-
Target
Solara v2.exe
-
Size
230KB
-
MD5
2c97e31fdc209f1ae51f1dc93a7993a7
-
SHA1
fc6214f6e91809aaf29fa39cc6a0ebd09fa35909
-
SHA256
eed43c12866f5d2d70382ccd10a07670e4b935885a3dbf375da38b8924339b0d
-
SHA512
17d0b2244ceeb9d0d7cc75529a071bf4208b8b8b7d77d69f4639e5f2c2c8e66f81fc5a49689741caae9967a23877e0841f4aeb139471bd46f5ba95cdb9b6a415
-
SSDEEP
3072:H/FnmqDWX+bSdKsmCOEtrH8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9Nz8:nDWub5kUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
takes-stewart.gl.at.ply.gg:61176
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2172-1-0x00000000011D0000-0x000000000120E000-memory.dmp family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-38-0x0000000000400000-0x00000000004EC000-memory.dmp modiloader_stage1 -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1032 powershell.exe 2556 powershell.exe 2768 powershell.exe 2440 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
xtuutz.exepid process 1416 xtuutz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Solara v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" Solara v2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeSolara v2.exepid process 1032 powershell.exe 2556 powershell.exe 2768 powershell.exe 2440 powershell.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe 2172 Solara v2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Solara v2.exepid process 2172 Solara v2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Solara v2.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2172 Solara v2.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2172 Solara v2.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
xtuutz.exepid process 1416 xtuutz.exe 1416 xtuutz.exe 1416 xtuutz.exe 1416 xtuutz.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
xtuutz.exepid process 1416 xtuutz.exe 1416 xtuutz.exe 1416 xtuutz.exe 1416 xtuutz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Solara v2.exepid process 2172 Solara v2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Solara v2.exedescription pid process target process PID 2172 wrote to memory of 1032 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 1032 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 1032 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2556 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2556 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2556 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2768 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2768 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2768 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2440 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2440 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 2440 2172 Solara v2.exe powershell.exe PID 2172 wrote to memory of 1416 2172 Solara v2.exe xtuutz.exe PID 2172 wrote to memory of 1416 2172 Solara v2.exe xtuutz.exe PID 2172 wrote to memory of 1416 2172 Solara v2.exe xtuutz.exe PID 2172 wrote to memory of 1416 2172 Solara v2.exe xtuutz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara v2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara v2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\xtuutz.exe"C:\Users\Admin\AppData\Local\Temp\xtuutz.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xtuutz.exeFilesize
359KB
MD5b65fc413c4af96d84822e39ce969942a
SHA1eaa176253f3b91ef6094221403362c8c51dff572
SHA256dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c
SHA5123e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVI0CVLBLNC95ELJKEN4.tempFilesize
7KB
MD5dc9fe73a86e0f0e02d033a1db838a4e7
SHA1861fae2baf53110f273173cfd25f08d4949a87e2
SHA256d2f422232bd083626e781c38be98338dad87b497609b5d3907b172986c3d1d9c
SHA512834d85c933b64a13e3f78f3cf56119508f75bb57e0d0aae6c4ce7842f7b88e58c0c114b80220093932a9a7f71381f2962435fc4a1d20a9f27b8471c9e3e553f3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1032-6-0x0000000002C10000-0x0000000002C90000-memory.dmpFilesize
512KB
-
memory/1032-7-0x000000001B620000-0x000000001B902000-memory.dmpFilesize
2.9MB
-
memory/1032-8-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/1416-38-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1416-37-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2172-28-0x0000000000FB0000-0x0000000001030000-memory.dmpFilesize
512KB
-
memory/2172-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmpFilesize
4KB
-
memory/2172-29-0x000007FEF5973000-0x000007FEF5974000-memory.dmpFilesize
4KB
-
memory/2172-1-0x00000000011D0000-0x000000000120E000-memory.dmpFilesize
248KB
-
memory/2172-78-0x0000000000FB0000-0x0000000001030000-memory.dmpFilesize
512KB
-
memory/2556-15-0x00000000026E0000-0x00000000026E8000-memory.dmpFilesize
32KB
-
memory/2556-14-0x000000001B560000-0x000000001B842000-memory.dmpFilesize
2.9MB