65dcaf8699e4d8d8aaa1c177fc49bfe4ff69ad4fd3891d61f68c5239e217cb14

General

Target

Solara/SolaraB/SolaraBootstrapper.exe
Size

826KB
MD5

886d05ab350457e2ddde2f569dc0668a
SHA1

3448ca0ce7b2f279694f8a360348c0ade71b9322
SHA256

286b6d3aa77caa78854b3648d96d80a1f207d7b94fb54103b44600a6f72839b5
SHA512

31186e5e079389f820a026843340468cf183c31ee18d60537d48e83b4ecb08b86f2e1b41012b4fa25ebbbd33a4fbc833986815e71010b74df3e04fdaf49d7962
SSDEEP

12288:gCQjgAtAHM+vetZxF5EWry8AJGy03eJxZM6gMkIhS:g5ZWs+OZVEWry8AFL06gGS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SolaraBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 1 IoCs

Processes:

SolaraBootstrapper.exe

pid process

640 SolaraBootstrapper.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SolaraBootstrapper.exemsedge.exe

pid process

640 SolaraBootstrapper.exe
640 SolaraBootstrapper.exe
4796 msedge.exe
4796 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SolaraBootstrapper.exe

description pid process

Token: SeDebugPrivilege 640 SolaraBootstrapper.exe

pid	process
640	SolaraBootstrapper.exe

flow	ioc
7	raw.githubusercontent.com

pid	process
640	SolaraBootstrapper.exe
640	SolaraBootstrapper.exe
4796	msedge.exe
4796	msedge.exe

description	pid	process
Token: SeDebugPrivilege	640	SolaraBootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraBootstrapper.exemsedge.exe

description	pid	process	target process
PID 1596 wrote to memory of 640	1596	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 1596 wrote to memory of 640	1596	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 1596 wrote to memory of 640	1596	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 5108 wrote to memory of 1104	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 1104	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 544	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4796	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4796	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4980	5108	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Solara\SolaraB\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraB\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb815059ah344dh49echa3ech01131146b888
1⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffa2a8a46f8,0x7ffa2a8a4708,0x7ffa2a8a4718
2⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13556337226535407178,13718767697761208582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13556337226535407178,13718767697761208582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13556337226535407178,13718767697761208582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a6975193fc6520f07522f00603c43470

SHA1
f6076002c7b0d890942219e0905df716cb1a3793

SHA256
083e1a3d58700e94616558fb9930f250b74403c297ab1b7d45429f29a94b2ffd

SHA512
a360b087f9a4f8e949c52c6955ff39fe81c0d6d914a6b462fcdc277dc80e62e5f5fc247bd5722499d37a5b835ca5bce7d5504a6703bfd5da56ed6087562f0760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
cbbdadccd9b10c647dd60634dd94e6c9

SHA1
8e0b3eca47b6d2af25494ddc96bfe6a2b492c3ee

SHA256
4a95d11252ce0028f57a1fe8d35e718d5eddd7ccd168058d031dd09b6a580eee

SHA512
b590a97776abb376c66ecd127d771a237dd58ded78740a8a8f37249c22e6601f4426c17cae289b5481ad4138567a78bec0ce42d593a8435c8deeed23329b36da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
\??\pipe\LOCAL\crashpad_5108_ZMFGLTPNPYPEOBDI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-14-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/640-15-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/640-16-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/640-17-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/640-18-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Resubmissions

Analysis

Sharing