xworm | 188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

Analysis

max time kernel
898s
max time network
874s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

82KB
MD5

b201ce5dcb58284da7a5ef6294418e56
SHA1

27573051f80debfd74e1a72d27cfd29f58c76d7e
SHA256

188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed
SHA512

f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c
SSDEEP

1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Attributes

Install_directory
%AppData%
install_file
SolaraX.exe

Signatures

Detect Xworm Payload 14 IoCs

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm
behavioral1/files/0x000b0000000122cf-33.dat	family_xworm
behavioral1/memory/2728-35-0x0000000000F40000-0x0000000000F5A000-memory.dmp	family_xworm
behavioral1/memory/3024-77-0x00000000010D0000-0x00000000010EA000-memory.dmp	family_xworm
behavioral1/memory/2928-106-0x0000000000300000-0x000000000031A000-memory.dmp	family_xworm
behavioral1/memory/712-108-0x00000000002F0000-0x000000000030A000-memory.dmp	family_xworm
behavioral1/memory/2260-110-0x0000000000B90000-0x0000000000BAA000-memory.dmp	family_xworm
behavioral1/memory/2548-112-0x0000000001260000-0x000000000127A000-memory.dmp	family_xworm
behavioral1/memory/476-114-0x00000000003D0000-0x00000000003EA000-memory.dmp	family_xworm
behavioral1/memory/1472-116-0x0000000000C30000-0x0000000000C4A000-memory.dmp	family_xworm
behavioral1/memory/2332-118-0x0000000000240000-0x000000000025A000-memory.dmp	family_xworm
behavioral1/memory/2140-120-0x0000000000F60000-0x0000000000F7A000-memory.dmp	family_xworm
behavioral1/memory/1892-123-0x00000000010B0000-0x00000000010CA000-memory.dmp	family_xworm
behavioral1/memory/2256-127-0x0000000001380000-0x000000000139A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
2868	powershell.exe
2580	powershell.exe
1528	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe

Executes dropped EXE 15 IoCs

pid	Process
2728	SolaraX.exe
3024	SolaraX.exe
2928	SolaraX.exe
712	SolaraX.exe
2260	SolaraX.exe
2548	SolaraX.exe
476	SolaraX.exe
1472	SolaraX.exe
2332	SolaraX.exe
2140	SolaraX.exe
696	SolaraX.exe
1892	SolaraX.exe
676	SolaraX.exe
896	SolaraX.exe
2256	SolaraX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SolaraX = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraX.exe"	X.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2006084ec08bdb01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B0209E1-F7B3-11EF-A4A7-66E045FF78A1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2940	powershell.exe
2868	powershell.exe
2580	powershell.exe
1528	powershell.exe
2188	X.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	X.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2188	X.exe
Token: SeDebugPrivilege	2728	SolaraX.exe
Token: SeDebugPrivilege	3024	SolaraX.exe
Token: SeDebugPrivilege	2928	SolaraX.exe
Token: SeDebugPrivilege	712	SolaraX.exe
Token: SeDebugPrivilege	2260	SolaraX.exe
Token: SeDebugPrivilege	2548	SolaraX.exe
Token: SeDebugPrivilege	476	SolaraX.exe
Token: SeDebugPrivilege	1472	SolaraX.exe
Token: SeDebugPrivilege	2332	SolaraX.exe
Token: SeDebugPrivilege	2140	SolaraX.exe
Token: SeDebugPrivilege	696	SolaraX.exe
Token: SeDebugPrivilege	1892	SolaraX.exe
Token: SeDebugPrivilege	676	SolaraX.exe
Token: SeDebugPrivilege	896	SolaraX.exe
Token: SeDebugPrivilege	2256	SolaraX.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3012	iexplore.exe
3012	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2188	X.exe
3012	iexplore.exe
3012	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2940	2188	X.exe	30
PID 2188 wrote to memory of 2940	2188	X.exe	30
PID 2188 wrote to memory of 2940	2188	X.exe	30
PID 2188 wrote to memory of 2868	2188	X.exe	32
PID 2188 wrote to memory of 2868	2188	X.exe	32
PID 2188 wrote to memory of 2868	2188	X.exe	32
PID 2188 wrote to memory of 2580	2188	X.exe	34
PID 2188 wrote to memory of 2580	2188	X.exe	34
PID 2188 wrote to memory of 2580	2188	X.exe	34
PID 2188 wrote to memory of 1528	2188	X.exe	36
PID 2188 wrote to memory of 1528	2188	X.exe	36
PID 2188 wrote to memory of 1528	2188	X.exe	36
PID 2188 wrote to memory of 2956	2188	X.exe	38
PID 2188 wrote to memory of 2956	2188	X.exe	38
PID 2188 wrote to memory of 2956	2188	X.exe	38
PID 2348 wrote to memory of 2728	2348	taskeng.exe	41
PID 2348 wrote to memory of 2728	2348	taskeng.exe	41
PID 2348 wrote to memory of 2728	2348	taskeng.exe	41
PID 2348 wrote to memory of 3024	2348	taskeng.exe	45
PID 2348 wrote to memory of 3024	2348	taskeng.exe	45
PID 2348 wrote to memory of 3024	2348	taskeng.exe	45
PID 2188 wrote to memory of 3012	2188	X.exe	46
PID 2188 wrote to memory of 3012	2188	X.exe	46
PID 2188 wrote to memory of 3012	2188	X.exe	46
PID 3012 wrote to memory of 2436	3012	iexplore.exe	47
PID 3012 wrote to memory of 2436	3012	iexplore.exe	47
PID 3012 wrote to memory of 2436	3012	iexplore.exe	47
PID 3012 wrote to memory of 2436	3012	iexplore.exe	47
PID 2348 wrote to memory of 2928	2348	taskeng.exe	50
PID 2348 wrote to memory of 2928	2348	taskeng.exe	50
PID 2348 wrote to memory of 2928	2348	taskeng.exe	50
PID 2348 wrote to memory of 712	2348	taskeng.exe	51
PID 2348 wrote to memory of 712	2348	taskeng.exe	51
PID 2348 wrote to memory of 712	2348	taskeng.exe	51
PID 2348 wrote to memory of 2260	2348	taskeng.exe	53
PID 2348 wrote to memory of 2260	2348	taskeng.exe	53
PID 2348 wrote to memory of 2260	2348	taskeng.exe	53
PID 2348 wrote to memory of 2548	2348	taskeng.exe	54
PID 2348 wrote to memory of 2548	2348	taskeng.exe	54
PID 2348 wrote to memory of 2548	2348	taskeng.exe	54
PID 2348 wrote to memory of 476	2348	taskeng.exe	55
PID 2348 wrote to memory of 476	2348	taskeng.exe	55
PID 2348 wrote to memory of 476	2348	taskeng.exe	55
PID 2348 wrote to memory of 1472	2348	taskeng.exe	56
PID 2348 wrote to memory of 1472	2348	taskeng.exe	56
PID 2348 wrote to memory of 1472	2348	taskeng.exe	56
PID 2348 wrote to memory of 2332	2348	taskeng.exe	57
PID 2348 wrote to memory of 2332	2348	taskeng.exe	57
PID 2348 wrote to memory of 2332	2348	taskeng.exe	57
PID 2348 wrote to memory of 2140	2348	taskeng.exe	58
PID 2348 wrote to memory of 2140	2348	taskeng.exe	58
PID 2348 wrote to memory of 2140	2348	taskeng.exe	58
PID 2348 wrote to memory of 696	2348	taskeng.exe	59
PID 2348 wrote to memory of 696	2348	taskeng.exe	59
PID 2348 wrote to memory of 696	2348	taskeng.exe	59
PID 2348 wrote to memory of 1892	2348	taskeng.exe	60
PID 2348 wrote to memory of 1892	2348	taskeng.exe	60
PID 2348 wrote to memory of 1892	2348	taskeng.exe	60
PID 2348 wrote to memory of 676	2348	taskeng.exe	61
PID 2348 wrote to memory of 676	2348	taskeng.exe	61
PID 2348 wrote to memory of 676	2348	taskeng.exe	61
PID 2348 wrote to memory of 896	2348	taskeng.exe	62
PID 2348 wrote to memory of 896	2348	taskeng.exe	62
PID 2348 wrote to memory of 896	2348	taskeng.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://imgur.com/a/LIxwhY3
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2436

C:\Windows\system32\taskeng.exe
taskeng.exe {C13279F8-D28E-42D8-B11B-C1749F3BD4B9} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Users\Admin\AppData\Roaming\SolaraX.exe
  C:\Users\Admin\AppData\Roaming\SolaraX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9624f1f5dfdf2e87b0e1c871bcdac27

SHA1
0320dd437f8e3a3ea42441a6c1762a8d12d5262e

SHA256
3ede470c67ee950269820ff393d02a26758aeb5d513d520a2deec694ac2f3a25

SHA512
7d4f3fab76acc5fd2ccd2d0a6077c7063b08d8cf4836a79c9bf589139e2f5a15ca5eb849f3e7890ffe2bb328bf6836f64016915a5a08fb78bde5418f88f6fb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31A2.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c0b10a51a2a6b5b75364ddff860237a

SHA1
1679b13bac10522edf0459879dbfa4f3be597371

SHA256
d98db77d9825ea692d1e6a4acdcd91e08db59e977b8d7133d2aa085b178826b5

SHA512
fbbd171a9be0380604bcf7d1c7a4ddb964dd25227608873b0acbd57b0ff420e2efb0c329a877d39357e09b2aff2c0d9484aae57e797027456571d33e46d95aa6

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraX.exe

Filesize
82KB

MD5
b201ce5dcb58284da7a5ef6294418e56

SHA1
27573051f80debfd74e1a72d27cfd29f58c76d7e

SHA256
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

SHA512
f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

Download Submit
memory/476-114-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/712-108-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1472-116-0x0000000000C30000-0x0000000000C4A000-memory.dmp

Filesize
104KB

Download
memory/1892-123-0x00000000010B0000-0x00000000010CA000-memory.dmp

Filesize
104KB

Download
memory/2140-120-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/2188-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

Filesize
4KB

Download
memory/2188-36-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

Filesize
4KB

Download
memory/2188-37-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2188-31-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2188-1-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/2188-78-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2256-127-0x0000000001380000-0x000000000139A000-memory.dmp

Filesize
104KB

Download
memory/2260-110-0x0000000000B90000-0x0000000000BAA000-memory.dmp

Filesize
104KB

Download
memory/2332-118-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/2548-112-0x0000000001260000-0x000000000127A000-memory.dmp

Filesize
104KB

Download
memory/2728-35-0x0000000000F40000-0x0000000000F5A000-memory.dmp

Filesize
104KB

Download
memory/2868-15-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2868-14-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2928-106-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/2940-8-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2940-7-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2940-6-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/3024-77-0x00000000010D0000-0x00000000010EA000-memory.dmp

Filesize
104KB

Download