Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 17:44
Behavioral task
behavioral1
Sample
Solara v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Solara v2.exe
Resource
win10v2004-20240508-en
General
-
Target
Solara v2.exe
-
Size
230KB
-
MD5
2c97e31fdc209f1ae51f1dc93a7993a7
-
SHA1
fc6214f6e91809aaf29fa39cc6a0ebd09fa35909
-
SHA256
eed43c12866f5d2d70382ccd10a07670e4b935885a3dbf375da38b8924339b0d
-
SHA512
17d0b2244ceeb9d0d7cc75529a071bf4208b8b8b7d77d69f4639e5f2c2c8e66f81fc5a49689741caae9967a23877e0841f4aeb139471bd46f5ba95cdb9b6a415
-
SSDEEP
3072:H/FnmqDWX+bSdKsmCOEtrH8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9Nz8:nDWub5kUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
takes-stewart.gl.at.ply.gg:61176
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1780-0-0x0000000000100000-0x000000000013E000-memory.dmp family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4632-71-0x0000000000400000-0x00000000004EC000-memory.dmp modiloader_stage1 -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3788 powershell.exe 1724 powershell.exe 3444 powershell.exe 4136 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Solara v2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Solara v2.exe -
Executes dropped EXE 2 IoCs
Processes:
izboyr.exeahtpsw.exepid process 4632 izboyr.exe 416 ahtpsw.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe upx behavioral2/memory/416-82-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/416-84-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Solara v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" Solara v2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Solara v2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings Solara v2.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 184 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeSolara v2.exepid process 3788 powershell.exe 3788 powershell.exe 1724 powershell.exe 1724 powershell.exe 3444 powershell.exe 3444 powershell.exe 4136 powershell.exe 4136 powershell.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe 1780 Solara v2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Solara v2.exepid process 1780 Solara v2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Solara v2.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1780 Solara v2.exe Token: SeDebugPrivilege 3788 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 1780 Solara v2.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
izboyr.exepid process 4632 izboyr.exe 4632 izboyr.exe 4632 izboyr.exe 4632 izboyr.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
izboyr.exepid process 4632 izboyr.exe 4632 izboyr.exe 4632 izboyr.exe 4632 izboyr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Solara v2.exepid process 1780 Solara v2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Solara v2.exedescription pid process target process PID 1780 wrote to memory of 3788 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 3788 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 1724 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 1724 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 3444 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 3444 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 4136 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 4136 1780 Solara v2.exe powershell.exe PID 1780 wrote to memory of 184 1780 Solara v2.exe NOTEPAD.EXE PID 1780 wrote to memory of 184 1780 Solara v2.exe NOTEPAD.EXE PID 1780 wrote to memory of 4632 1780 Solara v2.exe izboyr.exe PID 1780 wrote to memory of 4632 1780 Solara v2.exe izboyr.exe PID 1780 wrote to memory of 4632 1780 Solara v2.exe izboyr.exe PID 1780 wrote to memory of 416 1780 Solara v2.exe ahtpsw.exe PID 1780 wrote to memory of 416 1780 Solara v2.exe ahtpsw.exe PID 1780 wrote to memory of 416 1780 Solara v2.exe ahtpsw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara v2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara v2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\zaikyf.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\izboyr.exe"C:\Users\Admin\AppData\Local\Temp\izboyr.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe"C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59a5ef76c73621cc9a3e30180f27825f7
SHA12b081cba98c0b0fb51bdb65fc09c193220d79af6
SHA256085c206c5bc578804a88e4c6daf8535a95ecb7d8c0356ff2f193b268bf6a7aae
SHA51214f2cc01b5cb014d19e8a142c5e31295b973851837953b0a98072c1de67ca5348f4b5b1e3ca4329711ef9e37da4add77d943e25087fcb394f39391f840049539
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk4nmew1.gn2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ahtpsw.exeFilesize
9KB
MD5b01ee228c4a61a5c06b01160790f9f7c
SHA1e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA25614e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140
-
C:\Users\Admin\AppData\Local\Temp\izboyr.exeFilesize
359KB
MD5b65fc413c4af96d84822e39ce969942a
SHA1eaa176253f3b91ef6094221403362c8c51dff572
SHA256dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c
SHA5123e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454
-
C:\Users\Admin\AppData\Local\Temp\zaikyf.txtFilesize
16KB
MD5d4d466d40994b9fd8cfa52719940bed4
SHA1ce647a759452ebcc6e86313a53cb5882d6c53056
SHA2561460adcdb3978b76a832ea1d0557effe6912d02e342f869ee30dedb151f32350
SHA512c4b6258bfd79aebc7afa04cf69300108de67f41613e37d650fbed55666669bc35b1483c2b873e49d83d080582ecbe7b55462e7fb488c231dfd4d875f991004b1
-
memory/416-84-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/416-82-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1780-58-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/1780-53-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/1780-54-0x00007FFE98213000-0x00007FFE98215000-memory.dmpFilesize
8KB
-
memory/1780-1-0x00007FFE98213000-0x00007FFE98215000-memory.dmpFilesize
8KB
-
memory/1780-0-0x0000000000100000-0x000000000013E000-memory.dmpFilesize
248KB
-
memory/3788-17-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/3788-14-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/3788-13-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/3788-12-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmpFilesize
10.8MB
-
memory/3788-7-0x000001B6935A0000-0x000001B6935C2000-memory.dmpFilesize
136KB
-
memory/4632-70-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/4632-71-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB