Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
SolaraB2.zip
-
Size
278KB
-
Sample
240719-kj61qa1hrl
-
MD5
ea418b261e24a56105a6d328b60e9cc7
-
SHA1
4f89568a40fff23b381eb1009a764cc7eaf6580c
-
SHA256
da9098d4713d46c44b95758bdf17e3d2fa1633b3130c7be47b7111132dc051ff
-
SHA512
95a04802ae713e00940b6ddb55bc75ea7d3450cf31b5fb9d55f0b44aa3629bbf2695d979e1cdef244b4df987db89475cb7185f648cdaffbaa8189e3187dcc8de
-
SSDEEP
6144:eZJBeDFmH5elET2OhI16sf2YtiQFhL+SV0zZ5NnFJw:IJkFmH36h6seLQFhwfw
Static task
static1
Behavioral task
behavioral1
Sample
SolaraB2/Solara/SolaraBootstrapper.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
SolaraB2/Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
SolaraB2/Solara/SolaraBootstrapper.exe
-
Size
797KB
-
MD5
36b62ba7d1b5e149a2c297f11e0417ee
-
SHA1
ce1b828476274375e632542c4842a6b002955603
-
SHA256
8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
-
SHA512
fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
SSDEEP
12288:n1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:1mzgH385QojA1j855xSHI
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1