Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 12:23
Behavioral task
behavioral1
Sample
solar-spammer-discordTool/SolarV2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
solar-spammer-discordTool/SolarV2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
solar-spammer-discordTool/solar.py
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
solar-spammer-discordTool/solar.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
solar-spammer-discordTool/start.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
solar-spammer-discordTool/start.bat
Resource
win10v2004-20240426-en
General
-
Target
solar-spammer-discordTool/solar.py
-
Size
279B
-
MD5
6639a1095dc3e0cec59e7e33b19006de
-
SHA1
3d7a5fd6469021e400df9dd19da1c7687f7f6c6a
-
SHA256
4976a8497b8e1e6c17d8a17e56b163554b7da3879bd91d2e7fab18ebe45bc89b
-
SHA512
67e16f62aae236072c2942edcda0f3a428a2521e6adad67ac7071982d2a53eadb71d5b0fff6638a31fd5b293a94c0153f16b0d160716f64ae108b6947658f087
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2692 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2692 AcroRd32.exe 2692 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 908 wrote to memory of 2676 908 cmd.exe rundll32.exe PID 908 wrote to memory of 2676 908 cmd.exe rundll32.exe PID 908 wrote to memory of 2676 908 cmd.exe rundll32.exe PID 2676 wrote to memory of 2692 2676 rundll32.exe AcroRd32.exe PID 2676 wrote to memory of 2692 2676 rundll32.exe AcroRd32.exe PID 2676 wrote to memory of 2692 2676 rundll32.exe AcroRd32.exe PID 2676 wrote to memory of 2692 2676 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\solar-spammer-discordTool\solar.py1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\solar-spammer-discordTool\solar.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\solar-spammer-discordTool\solar.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD564da9ee3e91b19a1855955bb2efb08f3
SHA1f2dbf9ab99b234ff51abe9d75390fb9811457d69
SHA256f998288f8b7a26e66a5353764e711571dc6f94ad9ec1af04a118ac3d0c462db4
SHA5126c27c5ce33a4bd336ad6f6bf3bfb5cecf4f229978d010944dcfd06cbb0e6a141e77d1efb57d3bed38a6e544fd464d55e94a28126d714d55b6691a996a21fb83f