Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240508-en
General
-
Target
Solara.exe
-
Size
45KB
-
MD5
13325ceba29ec848cee74cc4b4c34816
-
SHA1
7c7408870da2fe079aa460fe0d237e12e19cb7cb
-
SHA256
c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54
-
SHA512
e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220
-
SSDEEP
768:JdhO/poiiUcjlJInRJH9Xqk5nWEZ5SbTDaNWI7CPW5A:Hw+jjgnrH9XqcnW85SbTsWIY
Malware Config
Extracted
xenorat
anyone-blogging.gl.at.ply.gg
Xeno_rat_nd8912d
-
delay
500
-
install_path
temp
-
port
22284
-
startup_name
Windows
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1816 Solara.exe -
Loads dropped DLL 1 IoCs
pid Process 2156 Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1816 2156 Solara.exe 28 PID 2156 wrote to memory of 1816 2156 Solara.exe 28 PID 2156 wrote to memory of 1816 2156 Solara.exe 28 PID 2156 wrote to memory of 1816 2156 Solara.exe 28 PID 1816 wrote to memory of 3048 1816 Solara.exe 29 PID 1816 wrote to memory of 3048 1816 Solara.exe 29 PID 1816 wrote to memory of 3048 1816 Solara.exe 29 PID 1816 wrote to memory of 3048 1816 Solara.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\Solara.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20D9.tmp" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD513325ceba29ec848cee74cc4b4c34816
SHA17c7408870da2fe079aa460fe0d237e12e19cb7cb
SHA256c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54
SHA512e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220
-
Filesize
1KB
MD547a3be81106e2974e9b79d6a2f27511d
SHA15ed116b9007692dfaeb191ee6a47a835cfc2abff
SHA256f9d62fcb5ea3db4838a0aad4605be0deb88b808d2dc44563bc3a62cdf077f808
SHA512e8f583fbb98489b0936301ca7ae2962af8d8292115ca9591dcefb2efd269190f01b9931a3856dfcc74562d34c291ef59fa233aeea11eaf0bd5e34f125b44f8a4