Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 17:14
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
SolaraBootstrapper.exe
-
Size
303KB
-
MD5
7553c649cdd15e01bc47cfa2dc88fdae
-
SHA1
1ad33f546146e52d05e667f0907262c1e55cb958
-
SHA256
12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6
-
SHA512
b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849
-
SSDEEP
6144:k1E0T6MDdbICydeB1MnyCvG/9GzC6jmA1D0Kzp:k1z6yCvGFG+Y1Dtp
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2912 SolaraBootstrapper.exe 2912 SolaraBootstrapper.exe 2912 SolaraBootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2912 SolaraBootstrapper.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2912 wrote to memory of 1788 2912 SolaraBootstrapper.exe 30 PID 2912 wrote to memory of 1788 2912 SolaraBootstrapper.exe 30 PID 2912 wrote to memory of 1788 2912 SolaraBootstrapper.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2912 -s 9442⤵PID:1788
-