hxxps://github[.]com/quivings/Solara/raw/main/Files/SolaraB[.]zip

Analysis

max time kernel
80s
max time network
89s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-05-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 2 IoCs

pid	Process
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4688	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Loads dropped DLL 6 IoCs

pid	Process
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4688	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000800000001ab6a-1530.dat	themida
behavioral1/memory/4336-1538-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4336-1540-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4336-1541-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4336-1539-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4336-1555-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4688-1616-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4688-1617-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4688-1619-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral1/memory/4688-1618-0x0000000180000000-0x0000000180B28000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
46	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
19	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4336	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611062347924223"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
388	chrome.exe
388	chrome.exe
4988	SolaraBootstrapper.exe
4988	SolaraBootstrapper.exe
3476	SolaraBootstrapper.exe
3476	SolaraBootstrapper.exe
3476	SolaraBootstrapper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeDebugPrivilege	4988	SolaraBootstrapper.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3148	388	chrome.exe	72
PID 388 wrote to memory of 3148	388	chrome.exe	72
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4780	388	chrome.exe	74
PID 388 wrote to memory of 4768	388	chrome.exe	75
PID 388 wrote to memory of 4768	388	chrome.exe	75
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76
PID 388 wrote to memory of 1888	388	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xa8,0xdc,0x7ffffe5a9758,0x7ffffe5a9768,0x7ffffe5a9778
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:2
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2404 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3724 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5836 --field-trial-handle=1780,i,15868392856136215428,17789338782455988776,131072 /prefetch:8
  2⤵
  PID:4712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4684

C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
- C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4336

C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
- C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f442c6d5f0588198e6532bd0ad76e2cf

SHA1
a49a5f72cb0910b3a358df3576f70c96bd24f8bc

SHA256
c587df3f5a3d2eef240a0a656d29f14b7b5428d23ff82c23cce7952727cbdbb8

SHA512
d928b3c5963452f3f95f15917ee693f7cdbaadc522863db847e81b79685fcc0143c298f97b53d03b24b64a71a3203d4d986bca5416ef373d0e05b8241f4d5ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
6f52edc868c037b54671440d0e3d25a2

SHA1
d0bc441a3d0593f7104d570a09b8eef3baf66d83

SHA256
59c84e89b90120d1e3e0c1bf075bdded7bebf1b87b7bfabd799fd6bb015f744b

SHA512
b9f82e66af88797597f668070d0b15674eb41d1b201bc58c9bb9bce45743be3b738b42daed8a49cefaa1c8bd37fbae676751799d1979a9a656db05b7be32c03c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
04702f7b90e56c699b13bdd0cc03a12a

SHA1
7b05e6f8c69c4af9e8d38addd7fc5a379fc69566

SHA256
fc8dd98b30745b6e65a2e0e3e7418098ddd8160e423d548384f281220e454792

SHA512
56c98b073d4dddfd5cff720b34e0e37fe2769365be28c70d9553311ea2875c9688504c4bfec1f2150c26ff52bc8e94adc68b014780626925d9d79a04191ebe55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9026fb0390ee204c27244452c5eacaf1

SHA1
78427365d04f564ff7c56d16a705bc8cc749cae5

SHA256
cc2261214becd72e16f7c394c2f0ee49c11c9ff3c92622d862d9c348d90a88a7

SHA512
907a8c87ec70df60605afbe77c693b9d6b65b823a1c7a9e06a4b4e647ac596fa95eba4359d9dd01a1e2350a620318071d666eac5165af144f788151f91847013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8fbd8c4182a91b1eb8b782a05a48458e

SHA1
d3bcf1b6d218cde38bd17a8bd010e57556ca69b0

SHA256
50ff174c8895386abbc02f599ad54621bd06adaa89b7b60a4ebcb10baf4bad36

SHA512
5612279a6170e2e88ca149c40f859c369159c1faf6bb354e90eba0dc3446e683c284f215f2f486e22c1fec828eba17ab10c5337f7891d4b5358d6c31e9733fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e5cf4e8e968d77d0586cc3b0e7d66deb

SHA1
1841f10c8dcdea4d84aa81221be4493cbc8ecec7

SHA256
bffd438e9f0b4102247d4c440faf5f1f87a5cc14dba658309e4a0da60968f42a

SHA512
ffe6b0f046c116bd9dcdbf187415abf6808e04a5e9605b9dd3abe5635c02735f1476d89e3ceb71a700decfd529900f82f9c223a0bb6a21d020274c6495a68d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9ed456d7a2e721799c8477d9c2e5c254

SHA1
c5d95f311357bfd66bb1c559b92231bf0c4798b3

SHA256
2ca0a2c67de7dba1a47d12c0fe2f827c7fb36483e8883296262a80326b8fae15

SHA512
93e16aec9988128dd00aaa8d0971156333cbb5c8556a5f95847a54d391941d4fe460bdbcdd6f59b27d78d30353b7988ec0d399feb73ba501ace7cac1693c4dea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
92b72e2c06b06b3d3ef02186295d32ab

SHA1
b88e4e51cd48c6205ba8230381b89917687c478c

SHA256
418ef9cc00492226ebd656cd7cc9a4a9a866be534f8ad8db987c3883ccde13ff

SHA512
6919f2090c11c8da016a993073e20a5e3bfb10d3c06ad80b799b4f02e42bea484d96f66b0a1bfc08e3a1f28890c867ad7ae21182cac7cca692cc1ae7fdca1ce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e5062d984356711bf9eddaa394f669a2

SHA1
b6f68768db5d9022fde3f5ef3d6b2f8583083282

SHA256
0ae075b04ee78d0ff6ef4d979daf12fd5800d8ab2cc343725a9fc6c317d380da

SHA512
eadfdcbeeb5b2f51b1f4fc639ab981ece619d1c57e66a48b95fda725ff986a69c6cd181b9e0b619e05bade36b0ccfbafea979213d1321e9af918e36098f701f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

Filesize
1KB

MD5
44fb0cd49366fc3d9374e076c3c07cee

SHA1
3976e0a81856d338698e0fad25188456b52ed3a0

SHA256
3b90b820aba2cc936064a54eb4016d9d0b6a23a2cb5bbfe56cb4b611cf41124d

SHA512
381680b26911f7a3202f9634d9b4bc3509319113245f54a17d2b5f16c2481cc7a879e45af77f0884fd58384499e55a4ff7e05b626a0be8c45cac42a31067a7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

Filesize
48B

MD5
be2a7d7f566380c227aee6c9352ba882

SHA1
b8b1236b1ce17f295b2780622cad96f4a1694b46

SHA256
fa95da2b65d081614dc31c4ec93f5443a42fca6f0fec3552d341b7588cd0a0e6

SHA512
771cacef95bf3f9564fa59f72654e269b280b08ed388910c60d911a5a265c3ccdadb75060e502981301c38041eb25d7097731901aa431822f47208d10a73c67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\version.txt

Filesize
4B

MD5
db439e64912a5b8b87d5d142f121b075

SHA1
5b23cbc3a0217b175008db39e1952ae637e84b72

SHA256
6b30d78b009177da64dc6925e89d32dbb2d8f04cf961690d64335e40b3f6da51

SHA512
2efc9a85c93ba253438256d914208157d2ca78ec0bc7a1e3edd053dc62d68f41f24ddb5efd312d413a6fe917d5742b068b0d84899e2c242e42cde21e6104b99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

Filesize
4.3MB

MD5
48521b6f8acefe8cd61b4ffc80b1d28d

SHA1
f553cca3439424585eefe2ecebeaeaa6b447950d

SHA256
69415bde05f368f24b38418244c6038c405cc0d3ff52d87a089e37c0100bc922

SHA512
4b7e87140370e5f0134da35734e18d7f8f60265241cbf7050c202474da8bd98505923113bcf51951d7e73ce79bddf14c8f1b6e4a9296cca140b7b326d2c90415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
85KB

MD5
f8f4522d11178a26e97e2046f249dfa7

SHA1
8b591d9a37716e235260fb6b3f601e4ccbebf15d

SHA256
3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0

SHA512
52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

Download Submit
C:\Users\Admin\Downloads\SolaraB.zip

Filesize
5KB

MD5
4ec8143b6dbe27870cf8333711ff5096

SHA1
693d467ebec348469011ffef1bd370b113653147

SHA256
2510be907ec476e8375ac7b5431536ae9a32bf99fe77ab695a5100852b111b96

SHA512
b513d2b9c63d999ccf459cea625bfdc481e44f0f3222996182a0d0d89fdb97ed754b927c7a429e43b96f13d2fc73e2860edca78b162a41101ae97e1a0f4e054e

Download Submit
\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
memory/4336-1543-0x0000021DEADA0000-0x0000021DEADD8000-memory.dmp

Filesize
224KB

Download
memory/4336-1511-0x0000021DE80D0000-0x0000021DE80EA000-memory.dmp

Filesize
104KB

Download
memory/4336-1541-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4336-1539-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4336-1542-0x0000021DEACB0000-0x0000021DEACB8000-memory.dmp

Filesize
32KB

Download
memory/4336-1514-0x0000021DEA800000-0x0000021DEA8B8000-memory.dmp

Filesize
736KB

Download
memory/4336-1546-0x0000021DEF570000-0x0000021DEF57E000-memory.dmp

Filesize
56KB

Download
memory/4336-1556-0x00007FFFFB000000-0x00007FFFFB024000-memory.dmp

Filesize
144KB

Download
memory/4336-1555-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4336-1538-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4336-1558-0x0000021DEF640000-0x0000021DEF6F2000-memory.dmp

Filesize
712KB

Download
memory/4336-1540-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4336-1513-0x0000021DEAE20000-0x0000021DEB35C000-memory.dmp

Filesize
5.2MB

Download
memory/4336-1516-0x0000021DEA8E0000-0x0000021DEA95E000-memory.dmp

Filesize
504KB

Download
memory/4336-1518-0x0000021DE9DD0000-0x0000021DE9DDE000-memory.dmp

Filesize
56KB

Download
memory/4688-1616-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4688-1617-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4688-1619-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4688-1618-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/4988-47-0x000000007367E000-0x000000007367F000-memory.dmp

Filesize
4KB

Download
memory/4988-48-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/4988-49-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/4988-51-0x0000000005FF0000-0x0000000006002000-memory.dmp

Filesize
72KB

Download