fe278313e0c1881d20de92eb25d7d54c3889302ab41a6dfd4bce7ef09ba1634a

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootrapper.exe
Size

456KB
MD5

f69ce486fdd380c2555229632782cf33
SHA1

2d0fcc652f0ed2ef98a6ca79267fe5ade3bfc2f3
SHA256

fe278313e0c1881d20de92eb25d7d54c3889302ab41a6dfd4bce7ef09ba1634a
SHA512

37282041ba015c96b1db8fb156e3f28504d0266154e255c041dfc26b83358ec005e34c2e25b34650b0eb7700746639c6a7bbc68da2655a5ab8aec4e3f6d29f66
SSDEEP

6144:ravR0hfwk3QY6sk2exgDe6VlWT8b90K1rBofjXz/b34nuM+V:GvGBZ3HDtrDPVle8HBo/LGuM4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1848	Solara.exe
1920	sheet.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	SolaraBootrapper.exe
2380	SolaraBootrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	Solara.exe
1848	Solara.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	Solara.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1848	2380	SolaraBootrapper.exe	28
PID 2380 wrote to memory of 1848	2380	SolaraBootrapper.exe	28
PID 2380 wrote to memory of 1848	2380	SolaraBootrapper.exe	28
PID 2380 wrote to memory of 1848	2380	SolaraBootrapper.exe	28
PID 2380 wrote to memory of 1920	2380	SolaraBootrapper.exe	29
PID 2380 wrote to memory of 1920	2380	SolaraBootrapper.exe	29
PID 2380 wrote to memory of 1920	2380	SolaraBootrapper.exe	29
PID 2380 wrote to memory of 1920	2380	SolaraBootrapper.exe	29

C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\sheet.exe
  "C:\Users\Admin\AppData\Local\Temp\sheet.exe"
  2⤵
  - Executes dropped EXE
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
\Users\Admin\AppData\Local\Temp\sheet.exe

Filesize
433KB

MD5
402639a1710f03cec323ff691008a9c2

SHA1
68b0e8ee94202b557d0de55d74d52c74be18fe4d

SHA256
fe093da74277c5ccc6665bf3df01741d69f2bef1c164b3e5fbd940ca7e616ce1

SHA512
1ce7c47bb2e09ba6b45479ef0ff384389674cbaee5721c2cd5718245a41fb9906e56aa58ecee8ed7a2ab86c86113e7b0cc6fadc4421ae337cc0ada7d9a74f10f

Download Submit
memory/1848-15-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1920-14-0x0000000000FA0000-0x0000000001012000-memory.dmp

Filesize
456KB

Download
memory/2380-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download