Overview

overview

10

Static

static

10

Solara.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1460s
  • max time network
    1488s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    253KB

  • MD5

    9f3f506175ad4d9550bf1aea609694a7

  • SHA1

    6cc35e30d5b40eb1b5d115feec12ec247a84193f

  • SHA256

    7103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467

  • SHA512

    b4a691e3b679dac187f1219cff013d3e27a87d55bf10c4744b8aba969a0caac39922dbbf9bce454b87e3e685f5bfa9043ecabacca090650278ab2d081bc2d5cb

  • SSDEEP

    6144:NloZM+rIkd8g+EtXHkv/iD4tTXCl38e1m2i8nUJfEm:PoZtL+EP8kda4mfE

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4868
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      2⤵
      • Views/modifies file attributes
      PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1508
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:3688
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4692
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:3360
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Solara.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:2520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6903d57eed54e89b68ebb957928d1b99

        SHA1

        fade011fbf2e4bc044d41e380cf70bd6a9f73212

        SHA256

        36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

        SHA512

        c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        6490e5c0581c173062323b1c20cfd9ff

        SHA1

        1652893659f99b780fd9733243637eb7795f5212

        SHA256

        a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79

        SHA512

        fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        7332074ae2b01262736b6fbd9e100dac

        SHA1

        22f992165065107cc9417fa4117240d84414a13c

        SHA256

        baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

        SHA512

        4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2e4ce193b91cf2884816e810206c68d4

        SHA1

        b060d309be5e2ebfec4d8a45629fe9c832b025c0

        SHA256

        287481dc48be90f1a7469ec4bca5f3ee5a323ee5d1c599c1cc4212204b06f909

        SHA512

        5f11b694ecee875b3758e675200af0d42a32c7bec2a4fcb15d823531c7d680b47cd1711d6eb8e1e3ceb48f569b136286777d4ac59edf99c7c7bf51420e072add

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p30mhrai.ahx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/4036-67-0x000001EF5D0D0000-0x000001EF5D0DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4036-33-0x000001EF5D090000-0x000001EF5D0AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4036-85-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4036-68-0x000001EF5D1E0000-0x000001EF5D1F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4036-2-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4036-31-0x000001EF5D110000-0x000001EF5D186000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4036-32-0x000001EF5D190000-0x000001EF5D1E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4036-0-0x00007FF97DDE3000-0x00007FF97DDE5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4036-1-0x000001EF42940000-0x000001EF42986000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4644-14-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4644-13-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4644-11-0x000001E6532C0000-0x000001E6532E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4644-12-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4644-17-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

        Filesize

        10.8MB

        Download