Analysis

  • max time kernel
    61s
  • max time network
    64s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-08-2024 17:06

General

  • Target

    Solara Executor V2/Solara Executor.exe

  • Size

    795KB

  • MD5

    a7f3293b177a63f6c50b5560e729cbff

  • SHA1

    4885073e4881cffc5c5155de720aa65755418fe8

  • SHA256

    da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc

  • SHA512

    70b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438

  • SSDEEP

    12288:Hs0xF36Z1LyI6QQsJNOoRQ1jt/Nppxu29CHWzO:xxJ6Z1L5J8oRQ1jt/Nppxv9C2

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe" --isUpdate true
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe

    Filesize

    795KB

    MD5

    365971e549352a15e150b60294ec2e57

    SHA1

    2932242b427e81b1b4ac8c11fb17793eae0939f7

    SHA256

    faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

    SHA512

    f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

  • memory/3148-18-0x00000000005D0000-0x000000000069E000-memory.dmp

    Filesize

    824KB

  • memory/3148-19-0x00000000742D0000-0x0000000074A81000-memory.dmp

    Filesize

    7.7MB

  • memory/3148-20-0x00000000742D0000-0x0000000074A81000-memory.dmp

    Filesize

    7.7MB

  • memory/3148-21-0x00000000742D0000-0x0000000074A81000-memory.dmp

    Filesize

    7.7MB

  • memory/4648-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

    Filesize

    4KB

  • memory/4648-1-0x0000000000290000-0x000000000035E000-memory.dmp

    Filesize

    824KB

  • memory/4648-2-0x00000000742D0000-0x0000000074A81000-memory.dmp

    Filesize

    7.7MB

  • memory/4648-3-0x00000000057F0000-0x0000000005812000-memory.dmp

    Filesize

    136KB

  • memory/4648-4-0x0000000005820000-0x0000000005B77000-memory.dmp

    Filesize

    3.3MB

  • memory/4648-16-0x00000000742D0000-0x0000000074A81000-memory.dmp

    Filesize

    7.7MB