Overview

overview

10

Static

static

10

Solara_Update.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    172s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    19-01-2025 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara_Update.exe

  • Size

    234KB

  • MD5

    d1e76f6454d97b1b4bb21980abd9fc98

  • SHA1

    03b224f0f11e3768f8c62fa02dde36a17aeb4a6a

  • SHA256

    d3ad612b70e6d6cfcf75d28132d9d85e47579b532002e13f17acd597f13bc6a3

  • SHA512

    70153899ae2ef5f0c9f2240cf3ae9f6d30921f2a27014dccf24883273caf9f1c1769f8992c23357e5dc460e243956a0949660d0ea96368518a2613c8651145fe

  • SSDEEP

    6144:BzcIVyx+bmCmh/5iJbb2q7eGD6sGuS1j:BgV4mhIaqKc6L1j

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:22078

allows-announces.gl.at.ply.gg:22078
Attributes
  • Install_directory

    %AppData%

  • install_file

    Solara_Update.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara_Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Update.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara_Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara_Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Solara_Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara_Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3008
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x384 0x3f0
    1⤵
      PID:4880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      c67441dfa09f61bca500bb43407c56b8

      SHA1

      5a56cf7cbeb48c109e2128c31b681fac3959157b

      SHA256

      63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

      SHA512

      325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0ebbb6601982de03c0e467092dcea244

      SHA1

      2618ea8bde543047063e8c222fc28069a2257912

      SHA256

      8985c0a0e906b970e974f2841ff37489f37f5a029cab6b9e1a86eda6406a0c45

      SHA512

      06aee5ff109b3ca33aab7fd33647ce8935ee04884c7115d7902c91376ca45ccfad4f63ae0184901c5cddf67f1759a2798e49a3744a81d794bd5b075b272e2721

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      185dbe417e452d0607c62ea9e0e3e8da

      SHA1

      e4cf1b435b475789f23673ab08a02f038e6300d8

      SHA256

      b1d4799707faf4644cde616aa7f073c6e0141618fc2fe0fe61a4fa554b570c75

      SHA512

      5c148df3ed7ae8fcc8826eb400c8620f79d38cd34a1cbee1c9bd3c653a6b58ffd8ece3e5ff0c893e20b770ad4b8107653c1e005a5c9da41994099d556ba78472

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gud54vzw.pbz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_E5DBC4132966465192CECAA988877A30.dat
      Filesize

      940B

      MD5

      1a40a88bd471f822c5c8367dd947e8fe

      SHA1

      ba9e4c7ebb93b094ab9381a077499c83768a9c55

      SHA256

      2af8c73b03f53e4fe2c651e6969656085f8e339a81bdb9e6673ed55176c09aa6

      SHA512

      8b5e8574a38e4000e0e446f0b87f2db3e6a6f759cad6b8487048d5a3171b8dc46725e232aedaf8aba5f40abadc0c5af929da4600dadeae269808c31a42413410

      Download Submit

    • memory/2396-59-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2396-0-0x00007FFE85533000-0x00007FFE85535000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2396-1-0x0000000000FB0000-0x0000000000FF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2396-64-0x00000000030E0000-0x00000000030EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2396-63-0x000000001F210000-0x000000001F738000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2396-62-0x000000001DDC0000-0x000000001DE70000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2396-61-0x000000001BD90000-0x000000001BD9C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2396-60-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2396-54-0x00007FFE85533000-0x00007FFE85535000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4696-14-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4696-11-0x0000021D10880000-0x0000021D108A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4696-12-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4696-13-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4696-15-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4696-19-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4696-16-0x00007FFE85530000-0x00007FFE85FF2000-memory.dmp

      Filesize

      10.8MB

      Download