Overview

overview

10

Static

static

10

Solaraboot...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    175s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/08/2024, 01:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Solarabootstrapper.exe

  • Size

    34KB

  • MD5

    51d03d9a1fc6d52b74e2fa53438dee20

  • SHA1

    a193c629a250170988d2a1725f7126db0ac2469b

  • SHA256

    97f556113766e66bd5b5ca123a9b0b4aa56aa273ceac9202a9de3d77ffdec287

  • SHA512

    5302d3b1cd8610a20194f8ce8b2e8fb858b5f5fdcebfd1f9504eba399e368395e805e684a43afc71cbe29b259ff8451e6f03ad0024ee9818b0b9d0a4e3bec5e8

  • SSDEEP

    768:EiAXT2ts9tAxC4CaV9FZ9jq4cOjhY/4/:TAj2tsslJzFZ9jq9OjqQ/

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

la-michael.gl.at.ply.gg:65463

Mutex

641UIwoUJK0Mht9q

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solarabootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solarabootstrapper.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    PID:4556
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3732
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:1592
      • C:\Windows\System32\oobe\UserOOBEBroker.exe
        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        PID:4492
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        PID:1364
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3164

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4556-0-0x00007FFACD093000-0x00007FFACD095000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4556-1-0x0000000000680000-0x000000000068E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4556-5-0x00007FFACD090000-0x00007FFACDB52000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4556-6-0x00007FFACD093000-0x00007FFACD095000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4556-7-0x00007FFACD090000-0x00007FFACDB52000-memory.dmp

              Filesize

              10.8MB

              Download