Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 23:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=6646140a&is=6644c28a&hm=41d21912fb8efa682e175c4c6259ddf7d2a561c045b9255ba76f6eebcdfa1d21&
Resource
win10v2004-20240426-en
General
-
Target
https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=6646140a&is=6644c28a&hm=41d21912fb8efa682e175c4c6259ddf7d2a561c045b9255ba76f6eebcdfa1d21&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5628 Solara_Updater.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 50 raw.githubusercontent.com 51 raw.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 468352.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 980 msedge.exe 980 msedge.exe 4044 identity_helper.exe 4044 identity_helper.exe 5516 msedge.exe 5516 msedge.exe 5628 Solara_Updater.exe 5628 Solara_Updater.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5628 Solara_Updater.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe 980 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 980 wrote to memory of 2396 980 msedge.exe 82 PID 980 wrote to memory of 2396 980 msedge.exe 82 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 4628 980 msedge.exe 83 PID 980 wrote to memory of 3492 980 msedge.exe 84 PID 980 wrote to memory of 3492 980 msedge.exe 84 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85 PID 980 wrote to memory of 1552 980 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=6646140a&is=6644c28a&hm=41d21912fb8efa682e175c4c6259ddf7d2a561c045b9255ba76f6eebcdfa1d21&1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc4,0x108,0x7ffe1ff746f8,0x7ffe1ff74708,0x7ffe1ff747182⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:82⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:82⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,741981561538237864,11334705743870571448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5516
-
-
C:\Users\Admin\Downloads\Solara_Updater.exe"C:\Users\Admin\Downloads\Solara_Updater.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1608
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3376
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
5KB
MD51547c37ed71cc612bfd54474edc0a03b
SHA1358562364aca778b47fdca8f4312c9b4ddca3ce5
SHA25600917c0d63f836d5b4fac852ff62bec69be5b517fa96ad1eaeb8db65004a1334
SHA512539f3846ad2e1b04dcbc717a40af29bc3cdf5a6547b2da3503e35eef1154730fb43f6bf0846b26f19b8372adf0e6d27b7bfbf1442a2ba2c73b370a71ae35dc59
-
Filesize
6KB
MD518e7fb714247f65628f39f256940af57
SHA13e52e0ddcb1888362e01064079d92358c40113c3
SHA256b4a30dcf0e647a2b28d980a3f886ba05587e09b39ba4e317701bd2b1eba6ba28
SHA5128e3ca94c477e0490de582e69564640bd13787fda7f1b5593d71be41af9c3ffda6c03bac80b09882da10bfa359a9dcd79206e0221d91e22a9d81f95daa8d0185a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD564890ec80bc947d151bdb5693a4be7ab
SHA1a7f330ef7911658b0aaaf0e7bb36efb27b963952
SHA25608cbfe8c5d9c533f5f81a8d196de15e307d774c3dbbb615239bcaea40ac99b58
SHA512c8b37c96a92424ca2a2fc2caa6c875d1c2358becbaffb4e9d12f1f535d291bc1f818156cfed1732a8f35c7db117bf923a02cb587a3808479de9dcc068c14f731
-
Filesize
11KB
MD5d1d09a94d0c6787d6ffbd043022c44f8
SHA14a4687d2e34916e25d644e31cc8c3072d848d68a
SHA256beed76f88b6343a57b898bf3c9f5c6043a5afc7e76b084690856996b257f6d44
SHA5126a02d5f72d069e37ed9a5ec7bc9c45b80d18ac3a03a096f03b59ad164c73ab390b2a2213c4808ab33c195eef876fabce3cb8c80991de48b8bd4abaf90c001403
-
Filesize
240KB
MD5b89051e8cf348e69c0943b540af3b99c
SHA150200e338cb5df75077c6144884bf0ff6bf7cc7a
SHA2562e0a0e7e5d510f4274cd22ca2ed10f4bcca932a8cb2a756a47c13fb36a5fb58d
SHA512ab1e75c6ccf80fdd29bb35ec802032a46cf642e444ba392a2224cc025d05d78148f60bf81d4405b25301ce86b83e03d9249378864afa575fa6a61f05dea21408