Analysis
-
max time kernel
0s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
SolaraB/Solara/SolaraBootstrapper.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SolaraB/Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240426-en
General
-
Target
SolaraB/Solara/SolaraBootstrapper.exe
-
Size
13KB
-
MD5
6557bd5240397f026e675afb78544a26
-
SHA1
839e683bf68703d373b6eac246f19386bb181713
-
SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
-
SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
SSDEEP
192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5084-1492-0x0000000180000000-0x0000000180E54000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll themida C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll themida behavioral2/memory/5084-1493-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1495-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1494-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1500-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1550-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1557-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1559-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1566-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1581-0x0000000180000000-0x0000000180E54000-memory.dmp themida behavioral2/memory/5084-1587-0x0000000180000000-0x0000000180E54000-memory.dmp themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 13 raw.githubusercontent.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SolaraBootstrapper.exepid process 3728 SolaraBootstrapper.exe 3728 SolaraBootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SolaraBootstrapper.exedescription pid process Token: SeDebugPrivilege 3728 SolaraBootstrapper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"2⤵PID:5084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:3768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.0.1179053611\1145084917" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c0a44a4-10d2-4d97-bbad-52fd222bdf9b} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 1836 22191716d58 gpu3⤵PID:4956
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.1.162945662\785262636" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de80a34-8660-4df3-aea3-788ad6732229} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 2404 22184a89358 socket3⤵PID:3756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.2.1759716429\292699726" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52fe2bcc-e936-4d8c-8603-637edc86917b} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 2996 2219450ce58 tab3⤵PID:372
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.3.1614237144\1390886681" -childID 2 -isForBrowser -prefsHandle 3844 -prefMapHandle 3828 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e52c5c9-cc9e-44fe-9b3f-0e183c2faab5} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 3856 221962c5358 tab3⤵PID:5112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.4.1731217342\1423780405" -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2678ed1-00c0-43cf-9115-8c12664f9b19} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 5188 221970f7e58 tab3⤵PID:1264
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.5.1149922110\1608304677" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c40498-e142-470a-a3d7-3467ff0a01fa} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 5316 22198408e58 tab3⤵PID:3472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3768.6.1564947225\1225354899" -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff3226e7-434f-443b-981e-a4c1497268ef} 3768 "\\.\pipe\gecko-crash-server-pipe.3768" 5508 2219966b858 tab3⤵PID:4684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ntkangc5.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD56fc297a3e1fbd95386fd1cb287c7c1e4
SHA190a5d9eb2411ad4e9c2eef40fc155d5c192fd8da
SHA256581b5c305d04efd05a333c9d72789bd8903c50bf6d0c0e3b00347e27f48ce228
SHA5124453b57c454f2682f18ae804b9f5174b7e3bc90b2cd3bffc24b4ff63b9718c968c2a14b19f23b5828f0b793a826a3b478aa2972a2ed2fd8dad37d3d97a5612f8
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
4.4MB
MD5b689169b2956fff21f686f39106fa7fc
SHA10bf7c393b9820813527f44956bc245cfe4d25a41
SHA2564f10137da039041165ce3c6eea382da44908e20a531a461512946c894b1fcf77
SHA512194a7a501e9524a6fb12a766c2ef3c9ab3f518bc72c888581e55955a88ee3a423cf3f59c10c5341603ff20e0d18df42653d8940f84459b8137879f2727a91fb9
-
Filesize
49B
MD56b09afc61af8884f2fc6204922e970be
SHA1fe3da40f27e8dc2b8e2392c9590666982fff3398
SHA256f99a87a0c9006940f0d9efa1331d253dcf56016c82f4e266b507c303bb8493a6
SHA51269ac27dbd690d1919a5da98e5f427328147c18a338596a0cf7ccb2cd09594da388fc4bb5df660bb4ca5a630f3ffc3ee3783b24c262683d2c5992db2f1abca8ea
-
Filesize
3.9MB
MD5cb21dd3353ec9d9b9b24d2736bd91317
SHA1acf87c778072b55baecd0fc1018ba5df0cafc8bd
SHA25679322cabf204a2bfb5fa1a1f622badf50756bb6d9619e9db515a0006f31602b2
SHA51204ddbe1c5fb6c5b441b0173fe3b301990e554986ae419e08e3fc189c782fa6a2b5b0c1aed08d394c3b15c0026ada235fb3aa148e692b7cc3ff2b9c4359435256
-
Filesize
4.6MB
MD5c4ce570d3d045f1d2a5a279bdb4e79aa
SHA1ecea98e2e66c0949c6e67df51c31cc13155316b2
SHA256d9ece044d2d85392e78d7e75d378b66d6ce0f57e20c53a2a5fa69cf3798fcbcb
SHA51230ae49c0ac9403374c5ae376c2f2fa224af62c55ffb0c4d2d0db209c87c445b7ac05628132242e8a3b0505dcb0488e6edf300a7accf18ec6bebc3149d45a0fb9
-
Filesize
85KB
MD5f8f4522d11178a26e97e2046f249dfa7
SHA18b591d9a37716e235260fb6b3f601e4ccbebf15d
SHA2563c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0
SHA51252ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
Filesize
7KB
MD5a1d41a077d5d96850afebf92a77b7eae
SHA1745b8b36630a554e4441e88bfbf999cf6c0f92a2
SHA256626321f685bce132ba76481b412434290f46381d05617228c9098e8d9fbedf77
SHA51263cbe54824e99180ccda661b054157f1890313192ed30a4f4251bd9709f3d1ccbfef23f3df1d35bc54327270398239a44aeeee75a3dcc6a27f387e67fe01abfb
-
Filesize
6KB
MD51e16344bd24b516adf18665a9a8e5351
SHA1d5615614ef532490076a3ecb043a959c2abfef5e
SHA256cab22da46737828d06c31e221aaa95e5c9c3848d11edf94775fe67b4a15e578b
SHA512b01fc5c81f348abffc56002ce38c76efa1e0b1ce5faa01e78b756bdc1e60a05df15fcd8d9ef3f9ca38d2d8c584215a6626717ed5c653dee515877eabfcefd7d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ntkangc5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD576ab0987ec505d828adc45088deb715f
SHA14805dcfb26dff2c1139c9af476c48da5211a2635
SHA25658c9dc658af3cb1bc5781708d384b1d46feb577ea8aa76b35cfda23268e31ef1
SHA512c65d477aea47763b7f949ba7ac45a5584cf1dce67f33683f24bbef8b9e380da19238899dcd01cdb712e8582789e8c17d094fb48124be89042693579274854992
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ntkangc5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize192KB
MD517359981162cb4a159bda50d1b207fe5
SHA1ef1b560f9cfc1bb74cc392390417611dbb9b9e69
SHA2564549729a353050d45a28e8b7e23c8038239b2d887a242fb149eb56fdc6d2b412
SHA5128de8313a4fc519bfffee0f990d09cefb7174fc182e68f9c2ff37f272e9f0f0ea13f96d6b71d2cc139f30fe0992ae6dbea28bb5ff633cf3755c36f899e467a80b