Analysis

  • max time kernel
    147s
  • max time network
    160s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-06-2024 11:05

General

  • Target

    Solar Tweaks.exe

  • Size

    130.1MB

  • MD5

    340132256d957b9ec3357850f6eec33c

  • SHA1

    5903ea416bb58d8b52964f8445309cc0769842bb

  • SHA256

    befa6aa28a5bafbad17926b29318f13ab026bbb18010ba410b29374821adf08e

  • SHA512

    03276db0c832f09abf8dab0d100d9c272f4623130a4b5d80de43f6ea099f6c486229e74db0d25a13857eaefb3133dba4f41d08c6aab7bdfd897a601c5cfdf68b

  • SSDEEP

    1572864:2mYWQRWtJ65M7a2iu4Rywh9hJyO9N+oJOTU8f/kmgZ2sI:B4M7a2H4Ryu+dNgI

Score
1/10

Malware Config

Signatures

  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe
    "C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe
      "C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe" --type=gpu-process --field-trial-handle=1960,3751684052686724525,1182366654596907608,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
      2⤵
        PID:680
      • C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe
        "C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,3751684052686724525,1182366654596907608,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2464 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1560
      • C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe
        "C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe" --type=renderer --field-trial-handle=1960,3751684052686724525,1182366654596907608,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2676
      • C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe
        "C:\Users\Admin\AppData\Local\Temp\Solar Tweaks.exe" --type=gpu-process --field-trial-handle=1960,3751684052686724525,1182366654596907608,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1328 /prefetch:2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
    • C:\Windows\System32\CompPkgSrv.exe
      C:\Windows\System32\CompPkgSrv.exe -Embedding
      1⤵
        PID:5064

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • C:\Users\Admin\AppData\Roaming\solartweaks\Network Persistent State

        Filesize

        946B

        MD5

        5f86db91f234a2209a06a774aaf02996

        SHA1

        99cb15b40398cdd2bcc5345e35038d20276c8514

        SHA256

        188d346f93d7db068b27cde0a446f037c7157dd37f11d87d7b08c34fb6de5e79

        SHA512

        fd991802fe95bedcc1ff112749f399522d6dae182ee0f29504eb7ec5a89784c4bb30212a158b4cce672445b2089f87234309100b740ee728ad4663f9eb7682c9

      • C:\Users\Admin\AppData\Roaming\solartweaks\Network Persistent State~RFe58c119.TMP

        Filesize

        59B

        MD5

        2800881c775077e1c4b6e06bf4676de4

        SHA1

        2873631068c8b3b9495638c865915be822442c8b

        SHA256

        226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

        SHA512

        e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

      • C:\Users\Admin\AppData\Roaming\solartweaks\settings.json

        Filesize

        2B

        MD5

        99914b932bd37a50b983c5e7c90ae93b

        SHA1

        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

        SHA256

        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

        SHA512

        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

      • C:\Users\Admin\AppData\Roaming\solartweaks\settings.json

        Filesize

        603B

        MD5

        c23db53da00a63a64438189f22203868

        SHA1

        a5a3264744be1173a23dffa32652307152fefc36

        SHA256

        f9aab56e63a5f03207f83c17969585929558c09a2b173766882af8f03feb3920

        SHA512

        5d3d915d51f0792820cc3844654a13f95ba775767bf77a1b44d267819cdd7e5f4ffeb68bdcbda33c73de118f1d0328eb04318b27d646dc3d9cb8d6dbc12cedb0

      • C:\Users\Admin\AppData\Roaming\solartweaks\settings.json

        Filesize

        650B

        MD5

        f3f0eb11f3cf9eb98e7d5f8770cbcef3

        SHA1

        bad9cc272835b95937aca0abdf89a6e5a9a5bd4f

        SHA256

        29c3c242170b82bf90f2645687325eff22889dc24fe16252a403f38200f03f56

        SHA512

        097b1fa91274fe8d901add35cfc3138d8ff1aba54562caf5a8e7c1ad4b50012eca6bb54909c84c607a4dcb74d98d2f438721f2c003d77abccfefaefa1dd0ea12

      • C:\Users\Admin\AppData\Roaming\solartweaks\settings.json

        Filesize

        627B

        MD5

        5f38f6e9bbecf62b4cec8ea6de1854e3

        SHA1

        6172b41aeb0dcc76813d4c0c99acec126eba444c

        SHA256

        b8a60373c0b7d29690b93b4aeda3bee0b30a3ace880ef6bd7524eb88f1571239

        SHA512

        474d5b3d703a5a45f7bd5f4cbb8e954b465a498afe8b38249e78104624ef1e3289da521af3426678d3091632ae1746d14484bf6abcd3cbbb36c35818af73b09d

      • C:\Users\Admin\AppData\Roaming\solartweaks\settings.json

        Filesize

        1KB

        MD5

        c86cec1b641a1751fc2686bb39906ce9

        SHA1

        616f2425c53de0b5d3c52c35e681f4bffac2c3ea

        SHA256

        7102aadcf6eca0994d83ba8766a7f1d2e73689c16df68aa83f52691e953c0a44

        SHA512

        e1d89a2c5ca16bdd0513ff1ab27d00928ae1b8b3e63a2d6c35b03585ea68ea1ca383170437189e55db7bc4311ed60e81aa7586a766403892a2a10b65c1350bb4

      • memory/680-2-0x00007FFCBA8E0000-0x00007FFCBA8E1000-memory.dmp

        Filesize

        4KB

      • memory/680-168-0x000001EE1FB10000-0x000001EE1FBAE000-memory.dmp

        Filesize

        632KB