Analysis
-
max time kernel
61s -
max time network
64s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-08-2024 17:06
Behavioral task
behavioral1
Sample
Solara Executor V2/Download (RUN FIRST).exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
Solara Executor V2/Solara Executor.exe
Resource
win11-20240802-en
General
-
Target
Solara Executor V2/Solara Executor.exe
-
Size
795KB
-
MD5
a7f3293b177a63f6c50b5560e729cbff
-
SHA1
4885073e4881cffc5c5155de720aa65755418fe8
-
SHA256
da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc
-
SHA512
70b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438
-
SSDEEP
12288:Hs0xF36Z1LyI6QQsJNOoRQ1jt/Nppxu29CHWzO:xxJ6Z1L5J8oRQ1jt/Nppxv9C2
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
BootstrapperV1.11.exepid process 3148 BootstrapperV1.11.exe -
Executes dropped EXE 1 IoCs
Processes:
BootstrapperV1.11.exepid process 3148 BootstrapperV1.11.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 1 pastebin.com 2 raw.githubusercontent.com 4 pastebin.com 7 raw.githubusercontent.com 8 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
BootstrapperV1.11.exeSolara Executor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperV1.11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara Executor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Solara Executor.exeBootstrapperV1.11.exedescription pid process Token: SeDebugPrivilege 4648 Solara Executor.exe Token: SeDebugPrivilege 3148 BootstrapperV1.11.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Solara Executor.exedescription pid process target process PID 4648 wrote to memory of 3148 4648 Solara Executor.exe BootstrapperV1.11.exe PID 4648 wrote to memory of 3148 4648 Solara Executor.exe BootstrapperV1.11.exe PID 4648 wrote to memory of 3148 4648 Solara Executor.exe BootstrapperV1.11.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe" --isUpdate true2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
795KB
MD5365971e549352a15e150b60294ec2e57
SHA12932242b427e81b1b4ac8c11fb17793eae0939f7
SHA256faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42
SHA512f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938