Overview

overview

10

Static

static

10

Solara.exe

windows10-2004-x64

Solara.exe

windows10-ltsc 2021-x64

10

Solara.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-12-2024 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    43KB

  • MD5

    a5c594f36fccf6f04552fd2ef8cca82a

  • SHA1

    654fd3bbe89442840010a7cbeccb2346adb0c2d1

  • SHA256

    b3448f4ae8060638bdad47bc3000afd0d5980fe66e09b6b64ae9da9134dcd9b5

  • SHA512

    a66c8ee6212235006b969148a37bc47b4715ef276bd632581c80a39b28f565f5c12235c315ba78e1e251d7c51126af0bd6e2ea32b087616edf595665538a142e

  • SSDEEP

    768:OAoPDwgJOSpuqldThkwh77RXk6mJomGSvFFRPa9Kb6POChgOObKY:OVDwgJOSp7ZvZu19dFA9Kb6POCSHGY

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

someone-proportion.gl.at.ply.gg:16444

Mutex

pLZANQ75KjAVVEWN

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1708
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2160
  • C:\ProgramData\System.exe
    "C:\ProgramData\System.exe"
    1⤵
    • Executes dropped EXE
    PID:3856
  • C:\ProgramData\System.exe
    "C:\ProgramData\System.exe"
    1⤵
    • Executes dropped EXE
    PID:4672
  • C:\ProgramData\System.exe
    "C:\ProgramData\System.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System.exe
    Filesize

    43KB

    MD5

    a5c594f36fccf6f04552fd2ef8cca82a

    SHA1

    654fd3bbe89442840010a7cbeccb2346adb0c2d1

    SHA256

    b3448f4ae8060638bdad47bc3000afd0d5980fe66e09b6b64ae9da9134dcd9b5

    SHA512

    a66c8ee6212235006b969148a37bc47b4715ef276bd632581c80a39b28f565f5c12235c315ba78e1e251d7c51126af0bd6e2ea32b087616edf595665538a142e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
    Filesize

    654B

    MD5

    11c6e74f0561678d2cf7fc075a6cc00c

    SHA1

    535ee79ba978554abcb98c566235805e7ea18490

    SHA256

    d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

    SHA512

    32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a70a24512295469541923bdf3adbfa19

    SHA1

    832d221a859448924b19ee2aabfb4869d9a343aa

    SHA256

    de2d90585d73d8704bf9d384c85421b9858c2f76485d5abeb8720d6c265d9d85

    SHA512

    261666a0f816598b4a70d5c925fa5ace56d3ddc9def87df9604e42b36f826d5c9b587b07d3c61842a7b3a84c212db8b46450c09e4d77e3f2a996af15c4c8b2fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6a807b1c91ac66f33f88a787d64904c1

    SHA1

    83c554c7de04a8115c9005709e5cd01fca82c5d3

    SHA256

    155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

    SHA512

    29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d2f329b9f9029f110da30d6cfb4e9581

    SHA1

    ed81739aeac808f26efb323c5225dc5906a2f387

    SHA256

    85cdada775f58b40181ef2cd6ef87d5bedbffb3481107550a9add560a03dc44e

    SHA512

    572dc23dca888e54ac66c6988b12f75374e33eb99ebbdaee8ba7765de42f4103e645d5e553fcc3f94521827075d412155b34416dca3c9d89026770b4e8a822ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    982f1450ddd311d7f6b66cd305dbd925

    SHA1

    b8a001e3773ec0c1e25102189d012938fe06ea70

    SHA256

    249729e57cd7157c87c7d0075dee85af00facd34138fcc3eabb0ddf0bb634a4a

    SHA512

    ffec738a960d5f27c3920ae06900f987e4ee848a56efbbbfb952f980910f733cc3f3bd8b5e2389709c361ba9ca83d4d0fb79070da2116ec2b56b518eca4db33a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    21301b7f0b154697ce079a0e7d66ae5b

    SHA1

    f8ac4141ae858fd3cbce081c6c9bf138845eadbc

    SHA256

    e101573d4ffdc647e3f85e523b0c12da41c69f7c49ac9c894258409c0dae08ea

    SHA512

    9b45fbae1349546b569752de3549285e895c4a51711e86b190ef814676a46bb7737a0d7ab1cf3bb937fd00d2746f136c6be5afaa7fce17fb5409f5dddda9a1ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7d910b944b9006d8577e22c4a5095b6c

    SHA1

    62d2c12a62326be24278b274d71abb85df50b156

    SHA256

    493f371c53beed7a2c310f89971b4d7125034ba7667da8d20eb5d15966c0efa6

    SHA512

    cf0327cbebf6a0ef2194124b28f574c996f3c4d46892eeb51b60d1ca8ab0ac8e412dbf121d114aa3463b4b62b19d4d2f27784b78927c96608544ba2238f917fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52ua3wa5.2zq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2308-59-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2308-53-0x00007FFC2D8C3000-0x00007FFC2D8C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2308-0-0x00007FFC2D8C3000-0x00007FFC2D8C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2308-60-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2308-69-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2308-1-0x0000000000B30000-0x0000000000B42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2608-19-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-18-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-15-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-14-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-13-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-12-0x00007FFC2D8C0000-0x00007FFC2E382000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-2-0x000001D345090000-0x000001D3450B2000-memory.dmp

    Filesize

    136KB

    Download