Analysis Overview
SHA256
56c860462f30759c805c66f5154cb2d9b6a292c84bfdd1ec7ecfdfeaa824bf0f
Threat Level: Likely malicious
The file Solara.Dir.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 15:17
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 15:16
Reported
2024-06-11 15:19
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 15:16
Reported
2024-06-11 15:19
Platform
win10v2004-20240508-en
Max time kernel
128s
Max time network
106s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Solara.Dir\Monaco\fileaccess\index.js
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 127.0.0.1:64885 | tcp |
Files
memory/3984-0-0x00007FF97E6E3000-0x00007FF97E6E5000-memory.dmp
memory/3984-1-0x0000020E78AC0000-0x0000020E78ADA000-memory.dmp
memory/3984-2-0x0000020E7B600000-0x0000020E7BB3C000-memory.dmp
memory/3984-3-0x00007FF97E6E0000-0x00007FF97F1A1000-memory.dmp
memory/3984-4-0x0000020E7B270000-0x0000020E7B32A000-memory.dmp
memory/3984-5-0x0000020E78EC0000-0x0000020E78ECE000-memory.dmp
memory/3984-6-0x0000020E7B430000-0x0000020E7B4AE000-memory.dmp
memory/3984-7-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-9-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-10-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-8-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-12-0x0000020E7B240000-0x0000020E7B248000-memory.dmp
memory/3984-14-0x0000020E7FDC0000-0x0000020E7FDCE000-memory.dmp
memory/3984-13-0x0000020E7FE00000-0x0000020E7FE38000-memory.dmp
memory/3984-15-0x0000020E7FF00000-0x0000020E7FFB2000-memory.dmp
memory/3984-17-0x00007FF9803C0000-0x00007FF9803E4000-memory.dmp
memory/3984-16-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-18-0x0000000180000000-0x0000000180B19000-memory.dmp
memory/3984-20-0x00007FF97E6E0000-0x00007FF97F1A1000-memory.dmp