Overview

overview

10

Static

static

10

Solara.exe

windows7-x64

10

Solara.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2024, 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    45KB

  • MD5

    04f89f83ba27038601e2321b08d0b4ca

  • SHA1

    edecd6d74ac90bbd235334ee17c2cae0ababa51b

  • SHA256

    4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2

  • SHA512

    04aece7190c9731d3a3528ef4b762eb47db6b50f670201dad4cd98c8bdf389eb1c8671488b550b02b28ae8ae61685ef0929b0a05273f09114b0e45269e4514bf

  • SSDEEP

    768:fvn+LJZ2ny8BcGhsWc3cQHqGbgEbFEP89ObA6BOuh3zjjU:fHABTMmq6FN9UA6BOuFE

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

george-liechtenstein.gl.at.ply.gg:2030

Mutex

OSPDmToN2pBX1fa2

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Defender.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e244215947b137de1cf3c5dba0fc2f24

    SHA1

    26cb162b889fdf973655e6912716c43b40738955

    SHA256

    d0c9198ccba0cd4b569537665ef6976d217feec72304da0d38ad42cae9a0a89b

    SHA512

    f1ece0d85d24206fa7c4c22f10e11dcdc534855d33fa32a6b6cd14b2867970a0fd542dba5a9a9ff0f2cc840e9855fb0297c2cbe7b25fcb5c784844337c268319

    Download Submit

  • memory/1840-7-0x0000000002A30000-0x0000000002AB0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1840-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1840-9-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2800-15-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2800-16-0x00000000004C0000-0x00000000004C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2888-2-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2888-0-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-1-0x0000000000B00000-0x0000000000B12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2888-27-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-32-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2888-33-0x0000000001F50000-0x0000000001F5C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2888-36-0x0000000002190000-0x000000000219E000-memory.dmp

    Filesize

    56KB

    Download