xworm | 63042e292b76378f8a720291e41eaba13d464b9b65eac9974b5d05e35e7f4ffb

Analysis

max time kernel
20s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara-V3-main/SolaraBootstrapper.exe
Size

3.5MB
MD5

8b8cc7e00f4ae98288bf4b244a6ae4b3
SHA1

deed0704178afef55c873a5d124788a771d8548e
SHA256

357ff8ff865f8a198e64f081072a8a815139b8e5014d1488671de1b43ac65d0c
SHA512

d1c0a018646ea8b43c5200809432898d8cb2e65d5dc46fc1753ea63a11fd49303a92308060291e11fefd42eb4cba0edbba4d990db30b436fde81604466eaa9ff
SSDEEP

98304:RUYIGafAzeIA+aFMJrjhOfKBCe1xTdZHYApZx5hQX9wdc:6GaozTA+ayxjdBxjRLS5

Score

10^/10

xworm evasion persistence rat themida trojan

Malware Config

Extracted

Family

xworm

Version

3.1

feature-mouse.gl.at.ply.gg:32683

Mutex

OpwzxvxwPVDjc2iN

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\dso.exe family_xworm
behavioral2/memory/4748-60-0x0000000000BD0000-0x0000000000BE4000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Solara.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Solara.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dso.exe	family_xworm
behavioral2/memory/4748-60-0x0000000000BD0000-0x0000000000BE4000-memory.dmp	family_xworm

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Solara.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SolaraBootstrapper.exeSolara.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara.exe

Drops startup file 2 IoCs

Processes:

dso.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dso.lnk	dso.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dso.lnk	dso.exe

Executes dropped EXE 4 IoCs

Processes:

SolaraBootstrapper.exeSolara.exedso.exeDSM.exe

pid process

4160 SolaraBootstrapper.exe
440 Solara.exe
4748 dso.exe
4428 DSM.exe

pid	process
4160	SolaraBootstrapper.exe
440	Solara.exe
4748	dso.exe
4428	DSM.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Solara.exe	themida
behavioral2/memory/440-38-0x0000000000400000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/440-39-0x0000000000400000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/440-67-0x0000000000400000-0x0000000000D40000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dso.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dso.exe"	dso.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Solara.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Solara.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
20 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Solara.exe

pid process

440 Solara.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

flow	ioc
18	raw.githubusercontent.com
20	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Solara.exeDSM.exe

pid	process
440	Solara.exe
440	Solara.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe
4428	DSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SolaraBootstrapper.exedso.exeDSM.exe

description pid process

Token: SeDebugPrivilege 4160 SolaraBootstrapper.exe
Token: SeDebugPrivilege 4748 dso.exe
Token: SeDebugPrivilege 4428 DSM.exe

description	pid	process
Token: SeDebugPrivilege	4160	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4748	dso.exe
Token: SeDebugPrivilege	4428	DSM.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SolaraBootstrapper.exeSolara.exe

description	pid	process	target process
PID 2424 wrote to memory of 4160	2424	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 2424 wrote to memory of 4160	2424	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 2424 wrote to memory of 4160	2424	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 2424 wrote to memory of 440	2424	SolaraBootstrapper.exe	Solara.exe
PID 2424 wrote to memory of 440	2424	SolaraBootstrapper.exe	Solara.exe
PID 2424 wrote to memory of 440	2424	SolaraBootstrapper.exe	Solara.exe
PID 440 wrote to memory of 4748	440	Solara.exe	dso.exe
PID 440 wrote to memory of 4748	440	Solara.exe	dso.exe
PID 440 wrote to memory of 4428	440	Solara.exe	DSM.exe
PID 440 wrote to memory of 4428	440	Solara.exe	DSM.exe

C:\Users\Admin\AppData\Local\Temp\Solara-V3-main\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Solara-V3-main\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\dso.exe
"C:\Users\Admin\AppData\Local\Temp\dso.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Users\Admin\AppData\Local\Temp\DSM.exe
"C:\Users\Admin\AppData\Local\Temp\DSM.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DSM.exe
Filesize
39KB

MD5
b3501528f9225a7c79d3a66be3d46b96

SHA1
439194554b7f3c27827194419bf4aadce5a3660f

SHA256
b64482d679099d51a635927f6130cb570a5156db3429d90c5e7836a43f3133fd

SHA512
6749f941841566b6c155d2e9164232c77984f8bc630a9b9a574eb5b099992dbfbb42b85f09c10140ba4701cf63c1a6c92b71b45eb039e43951193b9d0da05bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe
Filesize
3.5MB

MD5
2e0766b026ab0bf5f5753389a60ddb66

SHA1
57b7e98c37b500a0fc1a917298ee8d60e1b6b6ca

SHA256
626e4402dccea8da97f170b6c82d991e67fd617576723ae9f77014e002fad556

SHA512
78f2e2a8701c5ac3191de5032c0aef9bf8d0f90f17536919d8b39f48719c17e2f4a5ff7f8ecd620f79778cad981ed194f95ca369779bcbc78da8cfe03d557919

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
Filesize
13KB

MD5
0cc81729f4bd4a6eac95cc442bc8df2a

SHA1
5d5f367e720684dd64cfb5340d9911ec0782fdac

SHA256
92960ae4a38d896418a14a1db5ba1547aa273443790e858d00dac4ce64550c2a

SHA512
f6fc1fca47e4620e24652d8dc2aa88cdd7363172b31122c05d262349aeec88407a2b3fbbc4e4834c359960d4981fb9f674cfbfd9d5743dc917df72a3ebfb3c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\dso.exe
Filesize
55KB

MD5
de0f468b18c8727b40b23042ce759aee

SHA1
32a5cd273bf1ca869338d72fd268209622baab78

SHA256
aadc390e9793c43fd7b8e149558e8f59a800a8d2764b0333b5a8111d982ddf75

SHA512
8daf550e9b2d3540921d039b9b1a41cc1fbd8ea9481f62129b3388a732cffb1c55acc0544a3c67d629a692a9dc7332dcfe14655b389f362c7884b93a1c6f85d0

Download Submit
memory/440-33-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/440-36-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/440-67-0x0000000000400000-0x0000000000D40000-memory.dmp

Filesize
9.2MB

Download
memory/440-35-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/440-34-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/440-68-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/440-31-0x0000000077180000-0x0000000077181000-memory.dmp

Filesize
4KB

Download
memory/440-27-0x0000000000400000-0x0000000000D40000-memory.dmp

Filesize
9.2MB

Download
memory/440-38-0x0000000000400000-0x0000000000D40000-memory.dmp

Filesize
9.2MB

Download
memory/440-39-0x0000000000400000-0x0000000000D40000-memory.dmp

Filesize
9.2MB

Download
memory/440-40-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/2424-28-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/2424-11-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/2424-1-0x0000000000030000-0x00000000003C2000-memory.dmp

Filesize
3.6MB

Download
memory/2424-0-0x00007FFF00A53000-0x00007FFF00A55000-memory.dmp

Filesize
8KB

Download
memory/4160-29-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/4160-71-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/4160-32-0x0000000077160000-0x0000000077250000-memory.dmp

Filesize
960KB

Download
memory/4160-30-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

Filesize
40KB

Download
memory/4160-26-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/4160-1516-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/4428-66-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/4748-60-0x0000000000BD0000-0x0000000000BE4000-memory.dmp

Filesize
80KB

Download