Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

solarav3.exe

windows7-x64

10

solarav3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2025, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    solarav3.exe

  • Size

    187KB

  • MD5

    1391c7899d105d29ed63a14a1f04f26f

  • SHA1

    c5cf3200d8463f14d06c927dd4ceb68d98472a9f

  • SHA256

    cf9db2abbe4f144a6541042bb8464811ef1940f57460d96ac5568774fac8471a

  • SHA512

    d5b2be6c57f73f7b1a7a6618082dc630c81a8c60f423df005f264af91647f3cdcec5d120c113dd65e05cdcb948257ede35e77d508e81ff1e69a52e69d5d372fa

  • SSDEEP

    3072:iBw/PNb0sajZr6xkVGmT2vB++bEsO9t0iN2MJtmQ:Cw/Fb0ndr6Y2BbLDM2MJn

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

things-gap.gl.at.ply.gg:63131

Attributes
  • Install_directory

    %AppData%

  • install_file

    installer.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\solarav3.exe
    "C:\Users\Admin\AppData\Local\Temp\solarav3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2212
    • C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe
      "C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NvidiaGraphicsDriver (1).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\installer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    617a8fdd2f9e8a0ec74f069279d79539

    SHA1

    121125889c8787b55117e379c21e6971061c6d3b

    SHA256

    904541f2a4825a328683bdede198ae8db4cc5733dd338ee768f5371cf524b15c

    SHA512

    67449cf2af9bd87e51e4ce569d05818ff59b1f51c7a0af1804ccf1c044a02e9a53794a5065f40095943759c5e3eb5e1a395f2cdf65f275bca8e12ed0f5f7bdad

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe
    Filesize

    61KB

    MD5

    b458115052e651c31a5b09011f2802c5

    SHA1

    8ca6e2cd7108f5c04591f84d0a6d60762a069087

    SHA256

    4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb

    SHA512

    cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884

    Download Submit

  • \Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe
    Filesize

    116KB

    MD5

    74d9dec157cdea6f825e03df6430710f

    SHA1

    8e88035c092145ed5030975533e88a5d7508bdcf

    SHA256

    b559aedcc786547c17629c6217198eebb967e03d4c8757487690b05631905f2a

    SHA512

    4774600e45c4a9892afa672c1d45d012931b96b38c58b3b20416bb216be47a01887907af77ac2c22d485ae76ede943013adffe00fffc82b28c2514c1d720f882

    Download Submit

  • memory/2124-17-0x00000000003B0000-0x00000000003D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2132-14-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2156-39-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2212-16-0x0000000000C10000-0x0000000000C26000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2212-18-0x0000000000630000-0x000000000063A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2212-19-0x0000000000630000-0x000000000063A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2212-49-0x0000000000630000-0x000000000063A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2304-25-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2304-24-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2884-31-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2884-32-0x00000000026A0000-0x00000000026A8000-memory.dmp

    Filesize

    32KB

    Download