Malware Analysis Report

2024-10-10 08:04

Sample ID 240611-snxlva1fme
Target Solara.Dir.zip
SHA256 56c860462f30759c805c66f5154cb2d9b6a292c84bfdd1ec7ecfdfeaa824bf0f
Tags
themida evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

56c860462f30759c805c66f5154cb2d9b6a292c84bfdd1ec7ecfdfeaa824bf0f

Threat Level: Likely malicious

The file Solara.Dir.zip was found to be: Likely malicious.

Malicious Activity Summary

themida evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 15:17

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 15:16

Reported

2024-06-11 15:19

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 15:16

Reported

2024-06-11 15:19

Platform

win10v2004-20240508-en

Max time kernel

128s

Max time network

106s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

"C:\Users\Admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Solara.Dir\Monaco\fileaccess\index.js

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
N/A 127.0.0.1:64885 tcp

Files

memory/3984-0-0x00007FF97E6E3000-0x00007FF97E6E5000-memory.dmp

memory/3984-1-0x0000020E78AC0000-0x0000020E78ADA000-memory.dmp

memory/3984-2-0x0000020E7B600000-0x0000020E7BB3C000-memory.dmp

memory/3984-3-0x00007FF97E6E0000-0x00007FF97F1A1000-memory.dmp

memory/3984-4-0x0000020E7B270000-0x0000020E7B32A000-memory.dmp

memory/3984-5-0x0000020E78EC0000-0x0000020E78ECE000-memory.dmp

memory/3984-6-0x0000020E7B430000-0x0000020E7B4AE000-memory.dmp

memory/3984-7-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-9-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-10-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-8-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-12-0x0000020E7B240000-0x0000020E7B248000-memory.dmp

memory/3984-14-0x0000020E7FDC0000-0x0000020E7FDCE000-memory.dmp

memory/3984-13-0x0000020E7FE00000-0x0000020E7FE38000-memory.dmp

memory/3984-15-0x0000020E7FF00000-0x0000020E7FFB2000-memory.dmp

memory/3984-17-0x00007FF9803C0000-0x00007FF9803E4000-memory.dmp

memory/3984-16-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-18-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/3984-20-0x00007FF97E6E0000-0x00007FF97F1A1000-memory.dmp