Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 20:37
Behavioral task
behavioral1
Sample
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe
Resource
win7-20240220-en
General
-
Target
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe
-
Size
47KB
-
MD5
c6f6dc7bba217c28483bf2d105cbfad2
-
SHA1
e09f5fb55ee7c3709c310d0882437ccc95d14acf
-
SHA256
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044
-
SHA512
60d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3
-
SSDEEP
768:4u1a71T3EiJfWUzDydmo2qz/0KuKbYWiDOQtPI9aygOB0KK60bNEyklQR/MVG4D7:4u1a71T3xq2+0KADXK9aC0KKlbNEXQR2
Malware Config
Extracted
asyncrat
0.5.8
Default
Y27AkfNWf4he
-
delay
3
-
install
true
-
install_file
Solara.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/UpAYSpm6
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Solara.exe family_asyncrat -
Detects file containing reversed ASEP Autorun registry keys 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-1-0x0000000000B60000-0x0000000000B72000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse \Users\Admin\AppData\Roaming\Solara.exe INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse behavioral1/memory/2476-16-0x0000000000AA0000-0x0000000000AB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
Executes dropped EXE 1 IoCs
Processes:
Solara.exepid process 2476 Solara.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2676 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 28 2.tcp.eu.ngrok.io 4 pastebin.com 5 pastebin.com 6 2.tcp.eu.ngrok.io 17 2.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2448 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exepid process 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exeSolara.exedescription pid process Token: SeDebugPrivilege 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe Token: SeDebugPrivilege 2476 Solara.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.execmd.execmd.exedescription pid process target process PID 2100 wrote to memory of 2668 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2668 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2668 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2668 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2676 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2676 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2676 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2100 wrote to memory of 2676 2100 2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe cmd.exe PID 2668 wrote to memory of 2788 2668 cmd.exe schtasks.exe PID 2668 wrote to memory of 2788 2668 cmd.exe schtasks.exe PID 2668 wrote to memory of 2788 2668 cmd.exe schtasks.exe PID 2668 wrote to memory of 2788 2668 cmd.exe schtasks.exe PID 2676 wrote to memory of 2448 2676 cmd.exe timeout.exe PID 2676 wrote to memory of 2448 2676 cmd.exe timeout.exe PID 2676 wrote to memory of 2448 2676 cmd.exe timeout.exe PID 2676 wrote to memory of 2448 2676 cmd.exe timeout.exe PID 2676 wrote to memory of 2476 2676 cmd.exe Solara.exe PID 2676 wrote to memory of 2476 2676 cmd.exe Solara.exe PID 2676 wrote to memory of 2476 2676 cmd.exe Solara.exe PID 2676 wrote to memory of 2476 2676 cmd.exe Solara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe"C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1842.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Solara.exe"C:\Users\Admin\AppData\Roaming\Solara.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1842.tmp.batFilesize
150B
MD5c4049b6123043720a753b82a2f3126e9
SHA16c966eafa732d26a0526e624f2e267a9676489b2
SHA256beb1f9089fffb4cdd9e531009f5b30a3788a45b2b923cce98ca3aa88d477fbb5
SHA512c905f6f48314721a481ea4693033a0b95d37e8b2dda3261f73bb4ea4a3f5e3156b4905e9cce4880bb72614c4c17ce4d1c2929cb4dc8d0a6282e40eafb8e4464a
-
\Users\Admin\AppData\Roaming\Solara.exeFilesize
47KB
MD5c6f6dc7bba217c28483bf2d105cbfad2
SHA1e09f5fb55ee7c3709c310d0882437ccc95d14acf
SHA2562cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044
SHA51260d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3
-
memory/2100-0-0x00000000745AE000-0x00000000745AF000-memory.dmpFilesize
4KB
-
memory/2100-1-0x0000000000B60000-0x0000000000B72000-memory.dmpFilesize
72KB
-
memory/2100-2-0x00000000745A0000-0x0000000074C8E000-memory.dmpFilesize
6.9MB
-
memory/2100-11-0x00000000745A0000-0x0000000074C8E000-memory.dmpFilesize
6.9MB
-
memory/2476-16-0x0000000000AA0000-0x0000000000AB2000-memory.dmpFilesize
72KB