1bdce2be61df84567504c706cb0eeb062f6015ea06ba42bb377d2122bc6d947e

Analysis

max time kernel
45s
max time network
45s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOLARA_BOOTSTRAPPER.exe
Size

10.8MB
MD5

dc0b24683e554ffa578ebb8e7da694a5
SHA1

dae13b006b67028242ace5f0714cc6886482f85e
SHA256

1bdce2be61df84567504c706cb0eeb062f6015ea06ba42bb377d2122bc6d947e
SHA512

96fd4de7e907ba8c42a9f60e6d2796b464f5f96388115aa75706222a2a01dda1880732a8d49137cb44c5c97e48680267fa39123a6ae74385a6d00b765f9e0d74
SSDEEP

196608:eoGi6UfOF5zhL90lbT/9n9Lz3S1bA7gBUJOduAalIAA8ke/gN:XvGFZRabTl93S1bkgBUJOVl18T/gN

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2632	SOLARA_BOOTSTRAPPER.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019624-48.dat	upx
behavioral1/memory/2632-50-0x000007FEF5AA0000-0x000007FEF6089000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar = "C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"	sidebar.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	sidebar.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	sidebar.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2632	2092	SOLARA_BOOTSTRAPPER.exe	31
PID 2092 wrote to memory of 2632	2092	SOLARA_BOOTSTRAPPER.exe	31
PID 2092 wrote to memory of 2632	2092	SOLARA_BOOTSTRAPPER.exe	31

C:\Users\Admin\AppData\Local\Temp\SOLARA_BOOTSTRAPPER.exe
"C:\Users\Admin\AppData\Local\Temp\SOLARA_BOOTSTRAPPER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\SOLARA_BOOTSTRAPPER.exe
  "C:\Users\Admin\AppData\Local\Temp\SOLARA_BOOTSTRAPPER.exe"
  2⤵
  - Loads dropped DLL
  PID:2632

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20922\python311.dll

Filesize
1.6MB

MD5
cc7263ad1e3a5bfe4777091b86ee072d

SHA1
2c93207d75f3bdeb95f13084c43dda3762c9edf0

SHA256
b25f6cd48dd3f6107f7c546a151ec60b82330456d2d879d08164b8cce33460e0

SHA512
8c819a884480a67deaad45b943f50ee4c2893288a90facce5784b716e4486da7e776b5a0a6c006a9db6107256c253a9767eedbaa27e5f09a09dc537531e76c4a

Download Submit
memory/2632-50-0x000007FEF5AA0000-0x000007FEF6089000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads