General
-
Target
SolaroB.exe
-
Size
315KB
-
Sample
240618-mhqcpazakh
-
MD5
ded6899acd90f3b7a2a65ac7adf41c9f
-
SHA1
1d696bcfcc10fa05d7a69ce7782ebd0006efb367
-
SHA256
a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268
-
SHA512
fb7986ec47d65412bdda2e25b6b77866bc5dac8d8c51756ba5129e09f5ceb39b4ffc2c4c76536c20ff7dcc23f150f2dde4ba80f08681e53e8e3867b2dda5ab15
-
SSDEEP
6144:gtYtxQIeHKPxA20MTbe61lWTLF21cUWF0ryP7iynfap2d3zN9BeOaJs/C2vQG1yt:gtYt7poMPP1le0y+y7iynypQxb5aJ2+
Static task
static1
Behavioral task
behavioral1
Sample
SolaroB.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
SolaroB.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1251956998581522512/T_EEim3SFywd5SuJ1qG-aBAF2rWGOQN6KOZXRn7DecpgpODfH2Pr1ZycNH_TsE54WBy6
Targets
-
-
Target
SolaroB.exe
-
Size
315KB
-
MD5
ded6899acd90f3b7a2a65ac7adf41c9f
-
SHA1
1d696bcfcc10fa05d7a69ce7782ebd0006efb367
-
SHA256
a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268
-
SHA512
fb7986ec47d65412bdda2e25b6b77866bc5dac8d8c51756ba5129e09f5ceb39b4ffc2c4c76536c20ff7dcc23f150f2dde4ba80f08681e53e8e3867b2dda5ab15
-
SSDEEP
6144:gtYtxQIeHKPxA20MTbe61lWTLF21cUWF0ryP7iynfap2d3zN9BeOaJs/C2vQG1yt:gtYt7poMPP1le0y+y7iynypQxb5aJ2+
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1