Malware Analysis Report

2024-11-16 13:38

Sample ID 240530-jh7eesba4x
Target E4ExecutorBootstrapper.exe
SHA256 1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6
Tags
xworm evasion execution persistence rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6

Threat Level: Known bad

The file E4ExecutorBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution persistence rat themida trojan

Xworm

Detect Xworm Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Drops startup file

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 07:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 07:41

Reported

2024-05-30 07:42

Platform

win10v2004-20240508-en

Max time kernel

42s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000a8582d6112004170704461746100400009000400efbea8582d61be582c3d2e00000073e10100000001000000000000000000000000000000e07118004100700070004400610074006100000016000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000a8588265100041646d696e003c0009000400efbea8582d61be582c3d2e00000068e1010000000100000000000000000000000000000062c76900410064006d0069006e00000014000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a8582d611100557365727300640009000400efbe874f7748be582c3d2e000000c70500000000010000000000000000003a00000000005423290055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 5600310000000000be582c3d10007363726970747300400009000400efbebe582c3dbe582c3d2e0000002734020000000700000000000000000000000000000056f789007300630072006900700074007300000016000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5600310000000000be582f3d1000526f616d696e6700400009000400efbea8582d61be582f3d2e00000074e10100000001000000000000000000000000000000964e0f0152006f0061006d0069006e006700000016000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 1780 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\WUDFHost.exe
PID 1780 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 1780 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 1780 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe
PID 3936 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 3936 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\WUDFHost.exe C:\Windows\System32\schtasks.exe
PID 1672 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 1672 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\E4ExecutorBootstrapper.exe"

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WUDFHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RegAsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegAsm" /tr "C:\Users\Admin\AppData\Roaming\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

C:\Users\Admin\AppData\Roaming\RegAsm.exe

C:\Users\Admin\AppData\Roaming\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
CA 174.117.48.242:1604 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:54012 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp

Files

memory/1780-0-0x0000000000100000-0x000000000011E000-memory.dmp

memory/1780-1-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

C:\Users\Admin\AppData\Roaming\WUDFHost.exe

MD5 636b936e551810ab75a0d61823022ba5
SHA1 51e21f6b31c100e23775ee79c62d1cef647254a3
SHA256 25eb1748779ecbf5eb625c12885fefd0db9ff9fc80def38b2a7294bfec617443
SHA512 87cc134a1fd2f284f2d8626dacef6acc719fe0fd8e26bf87ec961f3f1c54d939a22bc64d9bf80ba022ca45d369339b92470240513f0f425db70fe44d2e916329

C:\Users\Admin\AppData\Roaming\SolaraBootstrapper.exe

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

memory/3936-23-0x0000000000940000-0x0000000000958000-memory.dmp

memory/3936-25-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

memory/1672-27-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/1672-28-0x0000000000B30000-0x0000000000B3A000-memory.dmp

memory/1672-29-0x0000000002E60000-0x0000000002E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3nz5c0a1.vhh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4684-39-0x00000265F3AD0000-0x00000265F3AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

memory/3936-80-0x0000000002B60000-0x0000000002B70000-memory.dmp

memory/1672-82-0x0000000006000000-0x0000000006012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

MD5 d0104f79f0b4f03bbcd3b287fa04cf8c
SHA1 54f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512 daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

MD5 c2ab942102236f987048d0d84d73d960
SHA1 95462172699187ac02eaec6074024b26e6d71cff
SHA256 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512 e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

MD5 c28b0fe9be6e306cc2ad30fe00e3db10
SHA1 af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA256 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512 e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

MD5 13babc4f212ce635d68da544339c962b
SHA1 4881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256 bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA512 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

MD5 f8f4522d11178a26e97e2046f249dfa7
SHA1 8b591d9a37716e235260fb6b3f601e4ccbebf15d
SHA256 3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0
SHA512 52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

memory/4944-1548-0x0000025A88000000-0x0000025A8801A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

MD5 aead90ab96e2853f59be27c4ec1e4853
SHA1 43cdedde26488d3209e17efff9a51e1f944eb35f
SHA256 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512 f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

memory/4944-1550-0x0000025AA2A40000-0x0000025AA2F7C000-memory.dmp

memory/4944-1551-0x0000025AA27B0000-0x0000025AA286A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

MD5 851fee9a41856b588847cf8272645f58
SHA1 ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA256 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512 cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

memory/4944-1553-0x0000025AA2870000-0x0000025AA28EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

MD5 34ec990ed346ec6a4f14841b12280c20
SHA1 6587164274a1ae7f47bdb9d71d066b83241576f0
SHA256 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512 b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

memory/4944-1555-0x0000025A88400000-0x0000025A8840E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

MD5 a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1 dd109ac34beb8289030e4ec0a026297b793f64a3
SHA256 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA512 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll

MD5 7a2b8cfcd543f6e4ebca43162b67d610
SHA1 c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA256 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512 e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

MD5 75365924730b0b2c1a6ee9028ef07685
SHA1 a10687c37deb2ce5422140b541a64ac15534250f
SHA256 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512 c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

MD5 e31f5136d91bad0fcbce053aac798a30
SHA1 ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256 ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512 a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

MD5 8516475948d5cc69f60965d650b85a00
SHA1 c9558af61af110cec85c6477f4d5872acc9d40c0
SHA256 5037e6c632f221686441ac6fe141a5812c8557588baafc5966b748805dc6944a
SHA512 16b8b01473cb7600a64c51a51905e3a3d12408a251186b97c22698e3d9c051f46d3735db4fb7fe9040f00c55d2767be5b2c609bb0dfa8b63b1ef5d5aa20f2876

memory/4944-1566-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/3936-1567-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

memory/4944-1568-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/4944-1569-0x00007FFEA3AC0000-0x00007FFEA3AE4000-memory.dmp

memory/4944-1570-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/4944-1571-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/4944-1572-0x0000000180000000-0x0000000180C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

MD5 c6d43bdf391692d3063c6b9bb0a49dfe
SHA1 a9d2a0398ef10ea344ae9b4773f7377d3f408ec6
SHA256 6e26fdea2c684f731dcb249ff4a7ac904e106d0d1b104e11228ff3ffe522c387
SHA512 b8d41162d5f309367dda05bfdd144489b09d105cae9ab0d64f34ab0733ed3fe6b4d17214cd62d3af1a75ebf1585f45a872bf1f55e289200cd6e923a5b4b4b722

memory/4944-1574-0x0000025AA2780000-0x0000025AA2788000-memory.dmp

memory/4944-1575-0x0000025AA7770000-0x0000025AA77A8000-memory.dmp

memory/4944-1576-0x0000025AA2A30000-0x0000025AA2A3E000-memory.dmp

memory/3936-1577-0x0000000002B60000-0x0000000002B70000-memory.dmp

memory/4944-1578-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/4944-1581-0x0000000180000000-0x0000000180C32000-memory.dmp

memory/4944-1582-0x00007FFEA3AC0000-0x00007FFEA3AE4000-memory.dmp