Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

solarav3.exe

windows7-x64

10

solarav3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    solarav3.exe

  • Size

    187KB

  • MD5

    1391c7899d105d29ed63a14a1f04f26f

  • SHA1

    c5cf3200d8463f14d06c927dd4ceb68d98472a9f

  • SHA256

    cf9db2abbe4f144a6541042bb8464811ef1940f57460d96ac5568774fac8471a

  • SHA512

    d5b2be6c57f73f7b1a7a6618082dc630c81a8c60f423df005f264af91647f3cdcec5d120c113dd65e05cdcb948257ede35e77d508e81ff1e69a52e69d5d372fa

  • SSDEEP

    3072:iBw/PNb0sajZr6xkVGmT2vB++bEsO9t0iN2MJtmQ:Cw/Fb0ndr6Y2BbLDM2MJn

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

things-gap.gl.at.ply.gg:63131

Attributes
  • Install_directory

    %AppData%

  • install_file

    installer.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\solarav3.exe
    "C:\Users\Admin\AppData\Local\Temp\solarav3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4560
    • C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe
      "C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NvidiaGraphicsDriver (1).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\installer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    eb1ad317bd25b55b2bbdce8a28a74a94

    SHA1

    98a3978be4d10d62e7411946474579ee5bdc5ea6

    SHA256

    9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

    SHA512

    d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    da5c82b0e070047f7377042d08093ff4

    SHA1

    89d05987cd60828cca516c5c40c18935c35e8bd3

    SHA256

    77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

    SHA512

    7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V3.127 (1).exe
    Filesize

    61KB

    MD5

    b458115052e651c31a5b09011f2802c5

    SHA1

    8ca6e2cd7108f5c04591f84d0a6d60762a069087

    SHA256

    4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb

    SHA512

    cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NvidiaGraphicsDriver (1).exe
    Filesize

    116KB

    MD5

    74d9dec157cdea6f825e03df6430710f

    SHA1

    8e88035c092145ed5030975533e88a5d7508bdcf

    SHA256

    b559aedcc786547c17629c6217198eebb967e03d4c8757487690b05631905f2a

    SHA512

    4774600e45c4a9892afa672c1d45d012931b96b38c58b3b20416bb216be47a01887907af77ac2c22d485ae76ede943013adffe00fffc82b28c2514c1d720f882

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gikq3zaz.gqt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1504-22-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2228-25-0x0000000000410000-0x0000000000432000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2228-23-0x00007FFC19893000-0x00007FFC19895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-86-0x0000000000D70000-0x0000000000D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-82-0x0000000000D70000-0x0000000000D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-40-0x00000214AAA70000-0x00000214AAA92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4560-43-0x0000000009A30000-0x0000000009A38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4560-27-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4560-26-0x0000000000A30000-0x0000000000A46000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4560-24-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-30-0x0000000009C70000-0x0000000009C7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4560-28-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4560-83-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-84-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4560-85-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4560-29-0x0000000009CA0000-0x0000000009CD8000-memory.dmp

    Filesize

    224KB

    Download