General
-
Target
SolaraV2ExecutorBootstrapper.rar
-
Size
39KB
-
Sample
241030-187xbascrc
-
MD5
91f98f0f7a8b2f992a59e105c46c22e8
-
SHA1
94aff1e0a89e3bbfe6b0801fb560db6c3ec79504
-
SHA256
04fcf73a07b602122139094e3a0d83583e647e72731337cb3901dbf24cc360d1
-
SHA512
d061708d5f42804e3b26776b242e1e16dc83bae2493945df891af81b807f4241192d70831444c8f75e3381bd574b48c052158f4d94e4a3703b04baeda68f3789
-
SSDEEP
768:/WwqYM3FCn8Ps/SAoB4wZp/N6qAgLl/+NB0hRSIShv4vPw/sSUunLZ:uwqV3Q8k/YB4wZh9bL1mmfnni7LZ
Malware Config
Extracted
xworm
status-jeremy.gl.at.ply.gg:41791
-
Install_directory
%AppData%
-
install_file
Console Window Host.exe
Targets
-
-
Target
SolaraV2ExecutorBootstrapper.exe
-
Size
66KB
-
MD5
886ee4db82d105bd5860b8ea8530e8fd
-
SHA1
debafc71ab28da7d3572b45ba29cf20f3f7d04c1
-
SHA256
de8d04f20865e77beff3e2e493bce79317e2696c6120c69a262b91dfb719f9a5
-
SHA512
f2076caa3cd82c34512c26f4adf6ad12178fcef1490758ba24f0da8b4ef998b46e91e60fdde322e924d0bdc9cfa5206e7b847f8e457869b7f2af2bcf272682c3
-
SSDEEP
1536:c82ZauFOWnMjv7PwY+bcPw8gVKy/CaI6v4zOpBDZtI:c85Drd+bcPe/fl4zOpBPI
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1