Analysis Overview
Threat Level: Likely malicious
The file https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Themida packer
Checks BIOS information in registry
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 19:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 19:03
Reported
2024-06-09 19:12
Platform
win10-20240404-en
Max time kernel
443s
Max time network
458s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133624334818697856" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe1b289758,0x7ffe1b289768,0x7ffe1b289778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 --field-trial-handle=1868,i,8465742100810765654,15274481832815169946,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraB\SolaraB\Solara\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:51393 | tcp | |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
Files
\??\pipe\crashpad_628_LLMSXOMZAZOAKUAF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a56783bebb6bc27ee44c181c293ffbcf |
| SHA1 | 61e8bc40dd859f9922b2bb70fc4caf35ce8393dc |
| SHA256 | 846586858b0f115bf42ed1ac1e3b4f78f4b4cf25f114d3b602c255b26f3a77d4 |
| SHA512 | ebab6d0a5e957c1da048c82907a8d2730750d3f099968425fadb820f2299049c3bb8a7f5104d55b799ed8431c0dc6e83366de743ce6246aac4b5b5102689a3d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2749a99a160474438ee0f6c7d1c95b12 |
| SHA1 | 802abd7bc2e7878141cdd95eb8454c5663fc1dbd |
| SHA256 | b7007abb8e996d03721d142d7c5a37bcc87e4f11886abfa2ac955ed35c60521a |
| SHA512 | 55e6809678de09b1ec52a56807d3efd4179074a9da806f8e284c9054c5c863ef56c63789dc2ee82c512bfc3ae1dd5688aeb77143a538aa805102ad4330d30ac2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 95ef9d864015c482746ec5758401870f |
| SHA1 | 7bb706ee20938a629dddeef54555116dd4dd6c16 |
| SHA256 | ab1a60be4f42a10c00e213f04b87b56ff8c7069a5b418a1ce99fca444745b894 |
| SHA512 | 65aefa9544def3beb20452601842cfe315571e1110cfc9e725c1a1965c187a7cf86a1b90d98ec44ae75c789f9e55c42201b95678fdb69d71dd039057276da68e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 44916012afa87459872518a3dddb2079 |
| SHA1 | 16d100f9123ea390fe80046fc917ca8f2c84c717 |
| SHA256 | 1d665613792720183a50c229b7dc2f43e60201d7a68216af6e2149a5e97d2ce8 |
| SHA512 | 4b541d2502df308b2ac1b776d1002218f575d8adf37f02f6666c2e3c898cd015adeef504705d43f5b8dfdf8197c89051a2eda17b6bb9c5306e51e7adfa84130c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58435d.TMP
| MD5 | 5c91ca90ebd2c32bb4f53e273741e73c |
| SHA1 | 4238e0539d96ed9023d90dd4a9df452b2206d4ac |
| SHA256 | 6bfb0cc753d848010cbbbf526b75cb7b399fba106689e27f862119a7b4838e7f |
| SHA512 | 8486135f1e14f0bea05e4368da7999edc6de26a6241bea198c0cbef8e6f03a69688b7e6bdd7bd709f83a9d0e8833769cd20e03f54b92503f5c4d6d6ae211a395 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | a2ba5dc8ef0f93f6c78d3ac80c0a122b |
| SHA1 | 8507b697b90ab080b46ab98b2e41a12deb523842 |
| SHA256 | 827702c29eee4ad8dcef5c2d63c1c9712703445c5d47ec89790dfdb5f56a1ba3 |
| SHA512 | baa88a3c40dfd153c434945cf59b450bf7971b51709dc48391399329c7ca8b06319e1b536866f862ee1d65ea6e4ef89d8f91108e016da76f78726447084927ac |
memory/1488-65-0x000000007349E000-0x000000007349F000-memory.dmp
memory/1488-66-0x0000000000FF0000-0x0000000000FFA000-memory.dmp
memory/1488-67-0x0000000003200000-0x000000000320A000-memory.dmp
memory/1488-69-0x0000000006290000-0x00000000062A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
| MD5 | d0104f79f0b4f03bbcd3b287fa04cf8c |
| SHA1 | 54f9d7adf8943cb07f821435bb269eb4ba40ccc2 |
| SHA256 | 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a |
| SHA512 | daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
| MD5 | c2ab942102236f987048d0d84d73d960 |
| SHA1 | 95462172699187ac02eaec6074024b26e6d71cff |
| SHA256 | 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a |
| SHA512 | e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
| MD5 | c28b0fe9be6e306cc2ad30fe00e3db10 |
| SHA1 | af79c81bd61c9a937fca18425dd84cdf8317c8b9 |
| SHA256 | 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641 |
| SHA512 | e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
| MD5 | 13babc4f212ce635d68da544339c962b |
| SHA1 | 4881ad2ec8eb2470a7049421047c6d076f48f1de |
| SHA256 | bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400 |
| SHA512 | 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182 |
memory/1488-1524-0x000000007349E000-0x000000007349F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5b508db84df19865de452ee1b6816e89 |
| SHA1 | 9176925f9c609bb140571b8e1490e7b4d7c1b6b9 |
| SHA256 | bf5641320f1ec2f306d42b7ad06a3582aecccd148d516b8af298d3c3601726db |
| SHA512 | 8b1840a26c684447a0ecb62d1bd3e314e498d9e7cbaeda003c37047e92a1cbda17e1fee25790d6caaff14fda42422157ac5622be99ca72b7438fd823ee86a5eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 1efa27d0ab0b2b78ca55a410140cb8d6 |
| SHA1 | b36c9d80df247f47b84d5d55b973c6d3dae3fac5 |
| SHA256 | 7314a2250074124bd8a7707b97aedff77b41f92718708ac9e8c5697d68100cd2 |
| SHA512 | 860a91a9ec7e1f5e935865d4549db206f04306d96fb57c7411746df98ac63639913235758d10a02ceb69f8e546d58b84335beb68f91cd9cf777e041c64f259a0 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
| MD5 | f8f4522d11178a26e97e2046f249dfa7 |
| SHA1 | 8b591d9a37716e235260fb6b3f601e4ccbebf15d |
| SHA256 | 3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0 |
| SHA512 | 52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492 |
memory/2904-1554-0x000002BB155D0000-0x000002BB155EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
| MD5 | aead90ab96e2853f59be27c4ec1e4853 |
| SHA1 | 43cdedde26488d3209e17efff9a51e1f944eb35f |
| SHA256 | 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed |
| SHA512 | f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d |
memory/2904-1556-0x000002BB30000000-0x000002BB3053C000-memory.dmp
memory/2904-1557-0x000002BB2FD40000-0x000002BB2FDF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
| MD5 | 851fee9a41856b588847cf8272645f58 |
| SHA1 | ee185a1ff257c86eb19d30a191bf0695d5ac72a1 |
| SHA256 | 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca |
| SHA512 | cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f |
memory/2904-1559-0x000002BB2FE00000-0x000002BB2FE7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
| MD5 | 34ec990ed346ec6a4f14841b12280c20 |
| SHA1 | 6587164274a1ae7f47bdb9d71d066b83241576f0 |
| SHA256 | 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409 |
| SHA512 | b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0 |
memory/2904-1561-0x000002BB17150000-0x000002BB1715E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll
| MD5 | a0bd0d1a66e7c7f1d97aedecdafb933f |
| SHA1 | dd109ac34beb8289030e4ec0a026297b793f64a3 |
| SHA256 | 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36 |
| SHA512 | 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log
| MD5 | 44fb0cd49366fc3d9374e076c3c07cee |
| SHA1 | 3976e0a81856d338698e0fad25188456b52ed3a0 |
| SHA256 | 3b90b820aba2cc936064a54eb4016d9d0b6a23a2cb5bbfe56cb4b611cf41124d |
| SHA512 | 381680b26911f7a3202f9634d9b4bc3509319113245f54a17d2b5f16c2481cc7a879e45af77f0884fd58384499e55a4ff7e05b626a0be8c45cac42a31067a7e9 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\version.txt
| MD5 | 4de75b5a999e9b1724852304ef16ed2e |
| SHA1 | 399b71c8641cfd5cf6a3f4008386df2887e29ceb |
| SHA256 | 1934821343f916f643d45d73f68723602c7da45e2599781b740903d4cfa4746e |
| SHA512 | 6eeb1c478d442dae79a85a978743a68c055a91108aa8bbeb1eb82154cfa40433b1d24e89c639ca879f2b2b4d1dfd1578d2cd7a16f7553d9c146f70bba00b8a7b |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt
| MD5 | be2a7d7f566380c227aee6c9352ba882 |
| SHA1 | b8b1236b1ce17f295b2780622cad96f4a1694b46 |
| SHA256 | fa95da2b65d081614dc31c4ec93f5443a42fca6f0fec3552d341b7588cd0a0e6 |
| SHA512 | 771cacef95bf3f9564fa59f72654e269b280b08ed388910c60d911a5a265c3ccdadb75060e502981301c38041eb25d7097731901aa431822f47208d10a73c67b |
\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
| MD5 | 987175c463ec9a5e76bab033cea9d859 |
| SHA1 | ceed36975f4583a34c26150e045a97f5f019e769 |
| SHA256 | 24fca8dd76effd975d230f55eb107e1be6c03d658410274fe6340a2b3ec9075c |
| SHA512 | 9851d254fef3fdfcd7b188893a9a547ed3f08eee82a72c273f13beb7d075beecd32e3c5c51f9e3135d7060fca71a2bf79dbdbb1a136549a9e408a6214feaa000 |
\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll
| MD5 | 7a2b8cfcd543f6e4ebca43162b67d610 |
| SHA1 | c1c45a326249bf0ccd2be2fbd412f1a62fb67024 |
| SHA256 | 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f |
| SHA512 | e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8 |
memory/5028-1579-0x00007FFE22150000-0x00007FFE22174000-memory.dmp
\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
| MD5 | 75365924730b0b2c1a6ee9028ef07685 |
| SHA1 | a10687c37deb2ce5422140b541a64ac15534250f |
| SHA256 | 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b |
| SHA512 | c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1 |
\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
| MD5 | e31f5136d91bad0fcbce053aac798a30 |
| SHA1 | ee785d2546aec4803bcae08cdebfd5d168c42337 |
| SHA256 | ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671 |
| SHA512 | a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6 |
memory/5028-1578-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1580-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1581-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1582-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1583-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1585-0x0000018B7C900000-0x0000018B7C908000-memory.dmp
memory/5028-1586-0x0000018B7EFB0000-0x0000018B7EFE8000-memory.dmp
memory/5028-1587-0x0000018B7EF80000-0x0000018B7EF8E000-memory.dmp
memory/5028-1588-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1590-0x0000000180000000-0x0000000180E54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll
| MD5 | 195ffb7167db3219b217c4fd439eedd6 |
| SHA1 | 1e76e6099570ede620b76ed47cf8d03a936d49f8 |
| SHA256 | e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d |
| SHA512 | 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac |
memory/5028-1593-0x0000018B7F290000-0x0000018B7F342000-memory.dmp
memory/5028-1594-0x0000000180000000-0x0000000180E54000-memory.dmp
memory/5028-1595-0x0000000180000000-0x0000000180E54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 19:03
Reported
2024-06-09 19:36
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1685s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133624335964354280" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7e45ab58,0x7ffe7e45ab68,0x7ffe7e45ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2784 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2792 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1944,i,6904832248537804569,17725499200784523799,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | 195.49.178.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| FR | 216.58.213.78:443 | clients2.google.com | tcp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | 78.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons3.gvt2.com | udp |
| FR | 142.250.74.227:443 | beacons3.gvt2.com | tcp |
| FR | 142.250.74.227:443 | beacons3.gvt2.com | udp |
| US | 8.8.8.8:53 | 227.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
\??\pipe\crashpad_2372_WNMUYNSPWBFTLXOH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | dbbfc129da4b73e242e354ad8b5577c9 |
| SHA1 | ad5be09ad542c62ccb31786bb9c3075f1e0fdea0 |
| SHA256 | cafe5e3edd48be5baeaa8127e2a7e1f149a1315c15b292df1e6e378b2c03ba74 |
| SHA512 | 574d5e567e0c41bf146b22f11daafa13a4cd65a93c95ce5670a8c4190f02af11f503373c3c27bc82c372181a33cd27560be9b05efa9b2a02fdf95130de083a59 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 21ded8d53aba762dd6be0e403ca13997 |
| SHA1 | 7c170665cf90460ec08b023ee76a9d3addf7c4b7 |
| SHA256 | 0cb6717b9fbe0796b47c91b432657927deaa3105c8832237761ebe65826fca0e |
| SHA512 | 34bd6b5a852b20c3bf058617782fd48094609d2400ddb5f405461c6e69e6ffbcd6490e618c5c22a0cbc1449cb141df7064168dd992feaed8d21a5e8f238541b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ea17866f364b7435db80f5154b542738 |
| SHA1 | c6fbce8779070a1dd5977b2584f0fc479c2a19bb |
| SHA256 | 1b59217c0ea00feb6a4424b4312cf015ec1b7c3b09e23a5186b6ea50dccb1cc0 |
| SHA512 | 05a39c0b1a537c3f3e4f79feb8c6d2bdbfc4e9d1c64777e3387481c0accca5884b899b690fa72ad889fdc564ea34e498d61360174947a265fdebd15d79cb2fbd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 98cd579ba0e7875970170ac9b6973a10 |
| SHA1 | 5731e8506b45af8859fd90ef05ed925f8ee9f0e1 |
| SHA256 | 3b5fe38df3e092adb864b83081fb49ed1e66e2e0ce5c63c2aad2390f41425d1f |
| SHA512 | e3a8a01209de3bcdcd0de596a841ad258a43e949b32a09695ae909b07df38402f7f70adafff3858873c76d3b5de95637147a847ebf6d1d45ae7213103c7d0f3f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e28a3d4cb8f30c9c358e8dcc35697388 |
| SHA1 | 49e17823dcbb0e60b56ef9ce70076f6ab456b51e |
| SHA256 | 7a3cc3debc9e43ea33b029120e0ee6fb0ddc18afd3d08cd24b4857f4fce2d894 |
| SHA512 | a69a50ca0f2420e1f1b796c0adf180c8f6e4041a95d1a976c6250bac4f069b1da04f9e3acece22303d707f1f107af4677cafb690d22b2e85adda7f0f9aea611c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a8667564eacd8a3941237ac4a5788fc2 |
| SHA1 | 072a2887294f790ea3a77c0855b3f4d0273dd2d5 |
| SHA256 | feefb8d4e1e5004e5b44b1b7b05703b4db3a021b64dd975b36eecdf400bf82f7 |
| SHA512 | 4e1822ea5e0b3fcf43e428854d2fa368dc521f2ea1d8c66963b5da401d54eccbe5bf665939efa3d17905cd5e4435354171464ef3aecf5dac90ebdb48a4b5012d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 86dc91948e1d1c02fcaf13ae2d58b851 |
| SHA1 | b73c8f28f548ed60dd8e56671e675a4b7bd3f868 |
| SHA256 | 910e662bd6b2c58cea7b01540ed2cc0dfb9e8d7f7388edd329601c97d8a3f9fe |
| SHA512 | 47a25c98bde889ee9fb0c50f4133cad5de69a8d6f6bfe9da070b65df8473220c6e5a324b4546852f699f7e998f0fbe5915244594f26d1d82579a41b38704857a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 19:03
Reported
2024-06-09 19:37
Platform
win11-20240508-en
Max time kernel
1800s
Max time network
1685s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133624336764746333" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\SolaraB.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/raw/main/Files/SolaraB.zip
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffcbe2ab58,0x7fffcbe2ab68,0x7fffcbe2ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1804,i,17703062048905156523,6335091637824536083,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 234.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4120_CCZRMERIDNIBXCYE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\Downloads\SolaraB.zip:Zone.Identifier
| MD5 | 63dacf6b95b547374e6c1f9b42b6e785 |
| SHA1 | 42cb19febec56ac4454c87b1d12851266a8faac9 |
| SHA256 | 0654da2800aeb5b4c9f7b561b3681c779e76b0db4dc244252b57e7cf79f42d48 |
| SHA512 | e0e7f0840a8290e76ad8b9684130ac2dfc0f2013df59487e74d8a06bf9c94311f28522b95a180e123b1cc4cd4e8c466ca7f30107683eb7084516be7a51175cbc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 53c6d5b6bb177f481849f362cf974705 |
| SHA1 | 25e77c4bbc69ace3d21a2e1fb7ba3230346f1fe7 |
| SHA256 | fca41cc212a7fb2a81c72e0f72d829148d4d4471be09accbd82dc14596c0d5ce |
| SHA512 | 9b487a9569ed72ab8a6067fbd14ce733ef0f27107885229e74c54fcd7f7885c41086285397ad269a1891a0e3e006f2f111dad954a08c0fc262ebffcf3486a6ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8b2bffd25ea543977812c762cdc24213 |
| SHA1 | 429ce9a9681b3b01d27ffbd664eb7fac647315c5 |
| SHA256 | 6ea4a3472bde35ac08984d9ce35fa4ed07d03972eeed29bc74d0f0aece903075 |
| SHA512 | 1250ccc9911d2eac1eba4e83e6450ace66860eb4c18b68c1c67804d5ecbb61af247351fc4c2034a91f58fa3927cb69e136d7beb5346ed9a1670cf2e7e974b46d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f69d62daa1418bdf603212cff9980918 |
| SHA1 | c97481e310da62ec2b849f938fdf0fd4d96b1eec |
| SHA256 | 0099c5df70c3a81ef5fad8adb4b833634f631bdb1b6ed699748acd35a2591256 |
| SHA512 | 0ff6b98480a2e66ab320bcce880069e699aa7ca544c92d0aad28ea72c7875084ad66b92cf640804e7d50ac8f3dbcd3b0035943e64e3edc5b943772667e0a1bf8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 7b57564f268508cb29f7c1b0752e6150 |
| SHA1 | 15626beb96ea2cf0918a9062b21fe613622579e3 |
| SHA256 | 659b4be696dfa381f88cd9d51eab2b7de93f6fa4d63569d69464fdf4b14789dd |
| SHA512 | a03b982c6aef8548d11875631f3c97daa43165c6313cda046d9d40b8137b1d5f3d511693a11cfd6f86e82c640f066258bc729e42ba2f3883569e1f5b6f8e8bdd |