Overview

overview

10

Static

static

3

BootstrapperNew.exe

windows7-x64

10

BootstrapperNew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BootstrapperNew.exe

  • Size

    3.0MB

  • MD5

    bff87092bbbb8b265f9109351bb705b4

  • SHA1

    f77384b9700f4899eb9b6e973a3f67258b8b38a1

  • SHA256

    746c77a58163dd078211c86687ae3a7d8b3af1cb948983a8f4f7ce2167d22dad

  • SHA512

    04acf2774bc60acfb7506e32925acd33c1f9fffd4e0f903858172ab9c892203489a98874ef441f6cc70053f51bc737d9dd719d0b5f72e9e8f43c40b1d223ec0e

  • SSDEEP

    49152:OQJmPAp/HK6UBdnBwpirpcWBpfk2nQdHQrAVbJ432MuMd2jPEa:1mG/HKBBNfco8qisAw3gMYj

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

google-rocks.gl.at.ply.gg:7000
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      PID:2108
    • C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1956
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F5FC80A3-71D9-4061-9819-361DD5E612C5} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    Filesize

    76KB

    MD5

    26b3ebae00dafdc80bd84c31c7f0e553

    SHA1

    55a47080a93ad6b69069ee3a58d8c2ffbbf20861

    SHA256

    68ead7f94d34fa9e8eef5016506da5a1d3e2cdb513f02880785b535051a88b52

    SHA512

    0c99e08108b6e0887d755fb1e3e93e69736a2b3b6636a0c4a372b18feb6a4cb749f46b1a9dac16d993e955c052ca9056efb79b72b4fb9c71b800f48604a26905

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    5d49fd78b57ebe2779f18e0ae6e948c6

    SHA1

    14c9ed40f0911f347ee62ac7e56adaf4a19e97e2

    SHA256

    71c86d1213fd64edcfce6e92c3e6e08e0a9f297640be4cc6ca69a8cd187c0ba9

    SHA512

    aea3723828c77cb229ac4a765b1433388440b9bf399cb568825a323f6501a5618b07a321851269fdd26aa2dee5d0f79a274a0909074b8aba6b89686787566f59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    Filesize

    2.9MB

    MD5

    f227cdfd423b3cc03bb69c49babf4da3

    SHA1

    3db5a97d9b0f2545e7ba97026af6c28512200441

    SHA256

    cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

    SHA512

    b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

    Download Submit

  • memory/2108-16-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2108-29-0x00000000027D0000-0x00000000027D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2108-15-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2108-62-0x00000000008E0000-0x00000000008EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-18-0x00000000008E0000-0x00000000008EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-17-0x00000000008E0000-0x00000000008EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-19-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2108-22-0x000000001C360000-0x000000001C460000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2108-23-0x0000000000F80000-0x0000000000F8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-25-0x00000000027A0000-0x00000000027A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2108-27-0x0000000002790000-0x000000000279A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-26-0x00000000027B0000-0x00000000027C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2108-24-0x0000000000F90000-0x0000000000FB6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2108-61-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2108-28-0x0000000000F70000-0x0000000000F7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2108-60-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2108-12-0x0000000000FC0000-0x00000000012A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2112-1-0x0000000000250000-0x000000000054C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2112-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-69-0x0000000000080000-0x000000000009A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2720-42-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2720-43-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2772-36-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2772-35-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2912-66-0x0000000000300000-0x000000000031A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3008-14-0x0000000000D30000-0x0000000000D4A000-memory.dmp

    Filesize

    104KB

    Download