fe3e8ce5e79ee86048719533eb54cbbfeaab547d61afb0045a2f7a19619654c8

General

Target

InstalerSolaraV3.exe
Size

563KB
MD5

993eca0c039917fa3c9011f11e0cd1f1
SHA1

afda8fcd8e71a2b8f006898095d5a2b0295120a2
SHA256

fe3e8ce5e79ee86048719533eb54cbbfeaab547d61afb0045a2f7a19619654c8
SHA512

380c4adbcf62b03a8deb79ab9d0d39300ede6efd4f4d65bbee0c4109dfaf8800f91c59206897ca2a91d93f41e53f8f47dd30316db0cb7e39ac18d313d242c492
SSDEEP

6144:BiXz3sg/Opdt8lYCWnsKe6VlWT8b9oO9zg08OIWfZs6/bEeAEDmxUZh:BiXzloyuP9PVle859oO9f4HEDrh

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\xdwdTrello Host.exe"	InstalerSolaraV3.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 3 IoCs

pid	Process
2192	Process not Found
644	WmiApSrv.exe
4420	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Public\\Documents\\xdwdSpybot - Search & Destroy.exe"	InstalerSolaraV3.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xdwdTrello Host.exe	InstalerSolaraV3.exe
File created	C:\Windows\xdwd.dll	InstalerSolaraV3.exe
File created	C:\Windows\xdwdTrello Host.exe	InstalerSolaraV3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
3888	InstalerSolaraV3.exe
644	WmiApSrv.exe
644	WmiApSrv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	InstalerSolaraV3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 5068	3888	InstalerSolaraV3.exe	85
PID 3888 wrote to memory of 5068	3888	InstalerSolaraV3.exe	85
PID 5068 wrote to memory of 2492	5068	CMD.exe	87
PID 5068 wrote to memory of 2492	5068	CMD.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\InstalerSolaraV3.exe
"C:\Users\Admin\AppData\Local\Temp\InstalerSolaraV3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Windows\xdwdTrello Host.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Windows\xdwdTrello Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/644-71-0x00007FFD2050D000-0x00007FFD2050E000-memory.dmp

Filesize
4KB

Download
memory/644-72-0x00007FFD20470000-0x00007FFD20665000-memory.dmp

Filesize
2.0MB

Download
memory/644-73-0x00007FFD20470000-0x00007FFD20665000-memory.dmp

Filesize
2.0MB

Download
memory/644-75-0x00007FFD20470000-0x00007FFD20665000-memory.dmp

Filesize
2.0MB

Download
memory/3888-1-0x0000000000F50000-0x0000000000FE4000-memory.dmp

Filesize
592KB

Download
memory/3888-0-0x00007FFD02233000-0x00007FFD02235000-memory.dmp

Filesize
8KB

Download
memory/3888-37-0x00007FFD02230000-0x00007FFD02CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-106-0x000000001DB60000-0x000000001DBD6000-memory.dmp

Filesize
472KB

Download
memory/3888-107-0x000000001D500000-0x000000001D50C000-memory.dmp

Filesize
48KB

Download
memory/3888-108-0x000000001D560000-0x000000001D57E000-memory.dmp

Filesize
120KB

Download
memory/3888-109-0x00007FFD02230000-0x00007FFD02CF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads