Overview

overview

10

Static

static

10

SolaraBoot...er.exe

windows7-x64

SolaraBoot...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 20:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    SolaraBootstrapper.exe

  • Size

    266KB

  • MD5

    bfea4fbe1ad2dc882c79c09f103fd395

  • SHA1

    48d80787945fc1355ce97ab5dc795cf0e7b25f01

  • SHA256

    2a03094b59e5dbc2e69fa76f01a35c58fb5466c9b47b87d621fb26b0b037ee59

  • SHA512

    2043da716ff26e1fa635a2e13e2191e04c2713ae05eca35540d4148dfbcd2ced76ec977419c10c7d164b1fc0336cad4d7c70267307169aae50c4577484b4204f

  • SSDEEP

    3072:xnkK65+bdKBfKOwcliLvAzII9x66AOag74srxxVfPWKvQIFY623:xndbbwxPqONxTGqQI+62

Score
10/10
xwormbootkitdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

18.ip.gl.ply.gg:19043

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBootstrapper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Users\Admin\AppData\Local\Temp\tyfokx.exe
      "C:\Users\Admin\AppData\Local\Temp\tyfokx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\sys3.exe
        C:\Users\Admin\AppData\Local\Temp\\sys3.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:324
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:376
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\systm.txt
        Filesize

        44B

        MD5

        d6654fdeec01a7b74594e70b86b6ec6b

        SHA1

        4f9e90d4989e88eef38222f9c7274cd08ab15bef

        SHA256

        90c0bf435c26d1b56e7cc322b0d9611c4c89a0552eca675339b11501c06de39e

        SHA512

        cd561375b0d2b77f4aae38343dccadf912a3ecea846263be28873ac76c4dbea1dc0f51dec960c426310f9f2bccc2c6638515fc29904e21394f2a71fdaf8cb1ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tyfokx.exe
        Filesize

        10KB

        MD5

        5a5f0a3c2302e091d81dc7eaf93d1460

        SHA1

        35b121df3e84bcc147e0ef9bb26878f8c8327066

        SHA256

        d14f18e6a192a359e6767600af028668729d6b6e569a66222cf3a4363ad8a608

        SHA512

        7b53479ab5c912fc13abd5d3b841eee216dc258f1adb62fdc74b1cf1a2f3d9dfcec520ab58dc7214bb31ba2b2f081e43deab66d33edc48e321c68587bb913541

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        e7506c1229c7f6b962e8335bfd910f3f

        SHA1

        49541c5c91b1bfb69516e438b2b7671792f58cb6

        SHA256

        610870eab733d0fdf1352e82f47e49e348a92d37887418add2917bec9b99651d

        SHA512

        9c9fca1ab81e8d3369be67f583be56b2d64179d04dd57e8a88aa99598ac499681c605d1b8201c6c4478bc4256905f4aeec67d63cdbab646b09b59f746c1bf7f3

        Download Submit

      • memory/1788-41-0x000000002AA00000-0x000000002AA05000-memory.dmp

        Filesize

        20KB

        Download

      • memory/1788-51-0x000000002AA00000-0x000000002AA05000-memory.dmp

        Filesize

        20KB

        Download

      • memory/1940-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1940-31-0x000000001B2A0000-0x000000001B320000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1940-32-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1940-33-0x000000001B2A0000-0x000000001B320000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1940-1-0x0000000000110000-0x0000000000158000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2776-14-0x000000001B680000-0x000000001B962000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2776-15-0x00000000026A0000-0x00000000026A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2828-8-0x0000000002960000-0x0000000002968000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2828-7-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2828-6-0x0000000002980000-0x0000000002A00000-memory.dmp

        Filesize

        512KB

        Download