Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Solara-main.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Solara-main/README.md
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
Solara-main/Solara.zip
Resource
win10-20240404-en
General
-
Target
Solara/SolaraB/SolaraBootstrapper.exe
-
Size
826KB
-
MD5
886d05ab350457e2ddde2f569dc0668a
-
SHA1
3448ca0ce7b2f279694f8a360348c0ade71b9322
-
SHA256
286b6d3aa77caa78854b3648d96d80a1f207d7b94fb54103b44600a6f72839b5
-
SHA512
31186e5e079389f820a026843340468cf183c31ee18d60537d48e83b4ecb08b86f2e1b41012b4fa25ebbbd33a4fbc833986815e71010b74df3e04fdaf49d7962
-
SSDEEP
12288:gCQjgAtAHM+vetZxF5EWry8AJGy03eJxZM6gMkIhS:g5ZWs+OZVEWry8AFL06gGS
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Executes dropped EXE 3 IoCs
Processes:
SolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exeInsidious.exepid process 5096 SolaraBootstrapper.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 648 Insidious.exe -
Loads dropped DLL 5 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exepid process 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral4/memory/1436-1511-0x0000000180000000-0x0000000180B0D000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll themida behavioral4/memory/1436-1513-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1512-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1514-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1521-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1523-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1525-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1526-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1528-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1530-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1532-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1534-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral4/memory/1436-1538-0x0000000180000000-0x0000000180B0D000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 20 raw.githubusercontent.com 3 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 freegeoip.app 8 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exepid process 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642252297502214" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exepid process 5096 SolaraBootstrapper.exe 5096 SolaraBootstrapper.exe 648 Insidious.exe 648 Insidious.exe 648 Insidious.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exechrome.exedescription pid process Token: SeDebugPrivilege 5096 SolaraBootstrapper.exe Token: SeDebugPrivilege 648 Insidious.exe Token: SeDebugPrivilege 1436 cd57e4c171d6e8f5ea8b8f824a6a7316.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exeSolaraBootstrapper.exechrome.exedescription pid process target process PID 4944 wrote to memory of 5096 4944 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 4944 wrote to memory of 5096 4944 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 4944 wrote to memory of 5096 4944 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 5096 wrote to memory of 1436 5096 SolaraBootstrapper.exe cd57e4c171d6e8f5ea8b8f824a6a7316.exe PID 5096 wrote to memory of 1436 5096 SolaraBootstrapper.exe cd57e4c171d6e8f5ea8b8f824a6a7316.exe PID 4944 wrote to memory of 648 4944 SolaraBootstrapper.exe Insidious.exe PID 4944 wrote to memory of 648 4944 SolaraBootstrapper.exe Insidious.exe PID 4552 wrote to memory of 4348 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 4348 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3376 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 948 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 948 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe PID 4552 wrote to memory of 3556 4552 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara\SolaraB\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraB\SolaraBootstrapper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeefa79758,0x7ffeefa79768,0x7ffeefa797782⤵PID:4348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:22⤵PID:3376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:3720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:3960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:2856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:4684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3844 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3812 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2240 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:12⤵PID:3840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1864,i,14479930569817660072,6005586462130499066,131072 /prefetch:82⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
539B
MD51f8d819cec14602caaff16a67ec4a37f
SHA1a82087f7e59f2402aec4e7f6c06fa0fa15314d82
SHA256ac67547cf534d922a49cede29427a726af9d78a19886d244d14a1061362b5cb9
SHA512a11b7b213aa89af08348248dc151f002f319e0143fac0564b2aebcf7bc61b0053d749f5d7516b1ba5073cf8333082b4cdc31275e046cf6c0feb9cff7b9157087
-
Filesize
539B
MD54bca25fec3d2b980b2d2ca1d5c1cf4ab
SHA1ded53ab6ea9ce179162344543d20da014825d5f8
SHA256856e21963fd1f411dfc366849d3219b04e4570a503c956460ddda7e7cad62802
SHA512f137f019bca4f5c4a58235429c036952108d130b1ec17d235b52113b328995ac0bdce53c8c0e79de1ba99a49f85c1d9691a92508674bc730acb81a68f7cbcacc
-
Filesize
2KB
MD5a5baa8e30dfa73fbc297a35d4cffd2aa
SHA172ad19a33eeb6f54c31be1ac3599d6cd46422efe
SHA2567a4311382db7a1f015e44cdd5283995bce8d3c35767df0536f35e452f3cffa02
SHA5128f8fd4a5c0d651829e218b82cba31131f2e76477ac788b7ed8ec4f8e8333f619e89c4e65692ae7d64009036a05f2617e772eda9184ebac01301ef7c3dace54b0
-
Filesize
2KB
MD56bd7a86fe0ed5f4555f351605a1b1548
SHA10bc36a0d5a53ea2932c69e3b238df067858869b4
SHA256ea6d745d951c39e3bd7b5ac025cf473046f8b81aac51c01d1fbb27adaa3cd77c
SHA51205882948474a03e2d939cd5512816c133357de25144efdf7a54dd59dc4a9888721627f34b415e86fd2fc083777378ba309307c837028206618daa11f2ef8d34c
-
Filesize
5KB
MD5dbc55d29eaa44af5336beeebc374a56f
SHA1578a2595b9a55060c4d1594413503169607125ab
SHA256b2498ae23f3d7adde30e23dd1c4fdb44b451a4ad1ba9b913eabe2b862a40e4b0
SHA5129f837e74600eb12c65e5dedb8c828d124d89509b1e3a03894235375247377ff5d1f2a0d07e080ac12ab71c08ada11380740ccc17ea4ee05d54891ae5ea4da6f7
-
Filesize
6KB
MD599122b8cef5e3d38b9d3c582f8818a07
SHA1ec6111c27a3940a94e7443a30db4cfee5c00c678
SHA256f7adb0f5581317795107b4a54b8d30eb008fe70511da55ab984a8df1e7548e2b
SHA512e865cd8854689e1570fa5b74c76e4a8dc7e4a4f99f4fe568f8bf8e4d4515a7e4c836908394f67fbf7870f4103cdb363632a2c17e3cc1c0e5c21e86cf192c3f37
-
Filesize
6KB
MD5e835fc96df1e613ed82b2966234f52ee
SHA12106fcdc6365041ffb054fb862a083cfda089945
SHA2567dec76b66c011c98d3d583ede41aa6b14322b203e11432ca0154cd2ae53440ca
SHA5126c801053e532d3c23cb8e7f0660d6a4500dc415aff7432ef440db955abeac1214aae0a71edbb6573eeac67d365436f89cde970cfc2f2dc6a6c9f9df8f0455364
-
Filesize
6KB
MD52e892f196d35a74b54f841eb61c64b07
SHA1f513c7aec2acf4dd08fc02e7cb8126bcf8f49191
SHA2565c3b02146e698f5cafef4275311742b4a98e14b6d8af819c73e01480b57d2d97
SHA512176a6eb3c8a3d13b633a9c38fa91df464d46936e752efb4c88c2a1f5765c89ddf061b1115d279690f28e90475256e52c1282ab4e40125fa12faaa27a02ad0156
-
Filesize
12KB
MD510aebf87742690ecbc47d14357518715
SHA11c1891affeed6c4139e8004db013dc5a7d8333c1
SHA25604a70f10965b56ecf74361736e220ca5493a682a5f5212c7752dc3c657f2366b
SHA512d412a972cb9f53bd208fe14c5e14ff8818ee62a96d41a7983e7489a870ce8d01739505eed2408099b061dc7da751206100faba5e20b342eefe33b83eae8b4eb8
-
Filesize
289KB
MD585389a1626184273cbf20a1ac5b0d8ba
SHA1a9fe99d1a309a969bcba874c8751a030d98964da
SHA2560d9ad49b125d43c1dbf50d8e64a99e99436bb4ffe8b8e22577d71608b3e7ef1c
SHA512eed878c533bd6138b9522c132b5e22bfa5caa1d80f25c1986c8cdfdfc4d5db78243bf3cecc88e260319ad929bedd497ba16e78e69a570d0f08d1e73fdd8a648b
-
Filesize
97KB
MD590efc0edbd2a60c82c3307c8757b3635
SHA1afc7c4c9033fd6f4db4ceede4f557f55b8cf5cbe
SHA2564422c57054d41ab1a743f456995ea9898798012f5b6ac8106d8f0fc2845fe7e2
SHA512066a598c8dae16ea60a8b252dd7117db585c48667f19f6a30c92337268f7394012d00e3f1305150c71deafca809be977a5f9687fb3a24eaaa93e7ac11ec48470
-
Filesize
92KB
MD58e93b8cc75dd97c1dae322b303411c21
SHA1c2cbb2ed60c0e58aab64ce89b1808b7272ccd0f3
SHA25675e7e1c70fbf9186426a4e05af500a2a83ee5944626465217208ba363e553f67
SHA51235f0e47a3e5c846938c548d1040febb63a34e9dbf6f95db94f544ea97bc3e6ddff758746f08406991216d0558988eab679e459f495088e84c871a3c281191f90
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
303KB
MD5cf6fbbd85d69ed42107a937576028fc9
SHA1d8f2ca741a8f0beb8e89a68407241c5332759303
SHA256644455284cd1e2188564dcea09cc0d09448423c9bfdeb9d05a834600d593ec1a
SHA512562f8004f6d406ed596ff2ad7487f616f1abb98d415d70d87c18f11f364b35a40b959800085966b1680737e6bc7e3793d3b8c60046ea680dc87a673badeab94e
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
37KB
MD54cf94ffa50fd9bdc0bb93cceaede0629
SHA13e30eca720f4c2a708ec53fd7f1ba9e778b4f95f
SHA25650b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6
SHA512dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
42B
MD5ed3b419c94386a952da318b60459a509
SHA1211feef90b099197ea5f08a165eb254beb9bb7ae
SHA2566cbf238518719c6a42f379cac879e942a726de67e9ecafed8132db82e700404d
SHA5122e571b88165a45d545f0fc8698448257b5dead91165bd6756627d1bce1188c47ed6cea07f0bf80e12a975b5a92194d76ee68cb915ad3f8e132051ceb000a63be
-
Filesize
90KB
MD5d84e7f79f4f0d7074802d2d6e6f3579e
SHA1494937256229ef022ff05855c3d410ac3e7df721
SHA256dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227
SHA512ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.2MB
MD5f71b342220b8f8935abe5ea0b1e5f30c
SHA1a70d41dbc456d548e790af717575b1f83e3f38b5
SHA256dec8c51c89452b183201e58e4cfceffb0924c4c1f7729841a739086711ff021f
SHA512d6ba2d0eecb2bd70ea727c7bd86cce75fe535e4a7688eb6fc6334e30f568d24d0b6661b8873ddb88c1bb75dbf772fae215b101545ff85e6461a2b05b85dfe05f
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6