Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 16:48
Behavioral task
behavioral1
Sample
SolararB5.1.exe
Resource
win10v2004-20240611-en
General
-
Target
SolararB5.1.exe
-
Size
25.0MB
-
MD5
dcff6f093bdaf3d7df4845f39834ea27
-
SHA1
d304cbd44a432a8e7b756f4bc4da770cd4abba8a
-
SHA256
199199951d5ec31ad1f699ee996d96524e5022a8af45797777d16488224424d5
-
SHA512
842471ed4edcf6b1a9c5e6c4c06209a1ab8058619b5122b5b95c2917322f23f59004a275cce313dc1b44a831b42d2f77613cb79fb3ebaf94551e3d94b39a80cf
-
SSDEEP
768:QY3reZFKghFchQVTqWnwz/1h3XE/blczxXSsvXxrjEtCdnl2pi1Rz4Rk3usGdpo3:Te/K6bTq8itNE2VhjEwzGi1dDKDogS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2816 netsh.exe 1512 netsh.exe 4684 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolararB5.1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation SolararB5.1.exe -
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c030f9e6d6e7a75ab6016f5c301de1aWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c030f9e6d6e7a75ab6016f5c301de1aWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2852 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Drops file in Windows directory 2 IoCs
Processes:
SolararB5.1.exeserver.exedescription ioc process File created C:\Windows\server.exe SolararB5.1.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2852 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SolararB5.1.exeserver.exedescription pid process target process PID 4904 wrote to memory of 2852 4904 SolararB5.1.exe server.exe PID 4904 wrote to memory of 2852 4904 SolararB5.1.exe server.exe PID 4904 wrote to memory of 2852 4904 SolararB5.1.exe server.exe PID 2852 wrote to memory of 2816 2852 server.exe netsh.exe PID 2852 wrote to memory of 2816 2852 server.exe netsh.exe PID 2852 wrote to memory of 2816 2852 server.exe netsh.exe PID 2852 wrote to memory of 4684 2852 server.exe netsh.exe PID 2852 wrote to memory of 4684 2852 server.exe netsh.exe PID 2852 wrote to memory of 4684 2852 server.exe netsh.exe PID 2852 wrote to memory of 1512 2852 server.exe netsh.exe PID 2852 wrote to memory of 1512 2852 server.exe netsh.exe PID 2852 wrote to memory of 1512 2852 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolararB5.1.exe"C:\Users\Admin\AppData\Local\Temp\SolararB5.1.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2816 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Windows\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4684 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4280,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:81⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334
-
Filesize
25.0MB
MD5dcff6f093bdaf3d7df4845f39834ea27
SHA1d304cbd44a432a8e7b756f4bc4da770cd4abba8a
SHA256199199951d5ec31ad1f699ee996d96524e5022a8af45797777d16488224424d5
SHA512842471ed4edcf6b1a9c5e6c4c06209a1ab8058619b5122b5b95c2917322f23f59004a275cce313dc1b44a831b42d2f77613cb79fb3ebaf94551e3d94b39a80cf