Analysis Overview
SHA256
c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-03 21:54
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 21:54
Reported
2024-07-03 21:57
Platform
win10-20240404-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 4912 wrote to memory of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 4912 wrote to memory of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 4568 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4568 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4568 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp333B.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | anyone-blogging.gl.at.ply.gg | udp |
| US | 147.185.221.20:22284 | anyone-blogging.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/4912-0-0x000000007324E000-0x000000007324F000-memory.dmp
memory/4912-1-0x0000000000EE0000-0x0000000000EF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
| MD5 | 13325ceba29ec848cee74cc4b4c34816 |
| SHA1 | 7c7408870da2fe079aa460fe0d237e12e19cb7cb |
| SHA256 | c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54 |
| SHA512 | e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solara.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/4568-9-0x0000000073240000-0x000000007392E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp333B.tmp
| MD5 | 47a3be81106e2974e9b79d6a2f27511d |
| SHA1 | 5ed116b9007692dfaeb191ee6a47a835cfc2abff |
| SHA256 | f9d62fcb5ea3db4838a0aad4605be0deb88b808d2dc44563bc3a62cdf077f808 |
| SHA512 | e8f583fbb98489b0936301ca7ae2962af8d8292115ca9591dcefb2efd269190f01b9931a3856dfcc74562d34c291ef59fa233aeea11eaf0bd5e34f125b44f8a4 |
memory/4568-12-0x0000000073240000-0x000000007392E000-memory.dmp
memory/4568-13-0x0000000073240000-0x000000007392E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 21:54
Reported
2024-07-03 21:57
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
94s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1300 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 1300 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 1300 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 4172 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4172 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4172 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4650.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anyone-blogging.gl.at.ply.gg | udp |
| US | 147.185.221.20:22284 | anyone-blogging.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1300-0-0x000000007449E000-0x000000007449F000-memory.dmp
memory/1300-1-0x0000000000620000-0x0000000000632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
| MD5 | 13325ceba29ec848cee74cc4b4c34816 |
| SHA1 | 7c7408870da2fe079aa460fe0d237e12e19cb7cb |
| SHA256 | c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54 |
| SHA512 | e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220 |
memory/4172-14-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/4172-15-0x0000000074490000-0x0000000074C40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4650.tmp
| MD5 | 47a3be81106e2974e9b79d6a2f27511d |
| SHA1 | 5ed116b9007692dfaeb191ee6a47a835cfc2abff |
| SHA256 | f9d62fcb5ea3db4838a0aad4605be0deb88b808d2dc44563bc3a62cdf077f808 |
| SHA512 | e8f583fbb98489b0936301ca7ae2962af8d8292115ca9591dcefb2efd269190f01b9931a3856dfcc74562d34c291ef59fa233aeea11eaf0bd5e34f125b44f8a4 |
memory/4172-18-0x0000000074490000-0x0000000074C40000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-03 21:54
Reported
2024-07-03 21:57
Platform
win11-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 4272 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 3092 wrote to memory of 4272 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 3092 wrote to memory of 4272 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe |
| PID 4272 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4272 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4272 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4575.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | anyone-blogging.gl.at.ply.gg | udp |
| US | 147.185.221.20:22284 | anyone-blogging.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3092-0-0x00000000751CE000-0x00000000751CF000-memory.dmp
memory/3092-1-0x0000000000A50000-0x0000000000A62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe
| MD5 | 13325ceba29ec848cee74cc4b4c34816 |
| SHA1 | 7c7408870da2fe079aa460fe0d237e12e19cb7cb |
| SHA256 | c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54 |
| SHA512 | e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solara.exe.log
| MD5 | 1294de804ea5400409324a82fdc7ec59 |
| SHA1 | 9a39506bc6cadf99c1f2129265b610c69d1518f7 |
| SHA256 | 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0 |
| SHA512 | 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1 |
memory/4272-15-0x00000000751C0000-0x0000000075971000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4575.tmp
| MD5 | 47a3be81106e2974e9b79d6a2f27511d |
| SHA1 | 5ed116b9007692dfaeb191ee6a47a835cfc2abff |
| SHA256 | f9d62fcb5ea3db4838a0aad4605be0deb88b808d2dc44563bc3a62cdf077f808 |
| SHA512 | e8f583fbb98489b0936301ca7ae2962af8d8292115ca9591dcefb2efd269190f01b9931a3856dfcc74562d34c291ef59fa233aeea11eaf0bd5e34f125b44f8a4 |
memory/4272-18-0x00000000751C0000-0x0000000075971000-memory.dmp
memory/4272-19-0x00000000751C0000-0x0000000075971000-memory.dmp