Overview

overview

10

Static

static

3

S0laradD/S0LaraV.exe

windows7-x64

10

S0laradD/S0LaraV.exe

windows10-2004-x64

10

S0laradD/libEGL.dll

windows7-x64

1

S0laradD/libEGL.dll

windows10-2004-x64

1

S0laradD/l...de.ps1

windows7-x64

3

S0laradD/l...de.ps1

windows10-2004-x64

3

S0laradD/l...m.html

windows7-x64

3

S0laradD/l...m.html

windows10-2004-x64

3

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...47.dll

windows10-2004-x64

1

S0laradD/l...de.ps1

windows7-x64

3

S0laradD/l...de.ps1

windows10-2004-x64

3

S0laradD/l...eg.dll

windows7-x64

1

S0laradD/l...eg.dll

windows10-2004-x64

1

S0laradD/l....1.dll

windows7-x64

1

S0laradD/l....1.dll

windows10-2004-x64

1

S0laradD/l...er.dll

windows7-x64

1

S0laradD/l...er.dll

windows10-2004-x64

1

S0laradD/l...-1.dll

windows7-x64

1

S0laradD/l...-1.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    70s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S0laradD/S0LaraV.exe

  • Size

    1.4MB

  • MD5

    94f25f446b0b21ffd82fd8b219c7a86f

  • SHA1

    50ba95c6e5f0960f5cec57047376f8f11192afdc

  • SHA256

    b297d84e4632df8b18e650e51928e05789179cd364efe12411e8aeb4f77ba7e7

  • SHA512

    18c08c452d5441aad7c0dc98fcfc6a1213a8a159ea5a5eff9d413c96dccf10eb8195e56c304ffebf8b3e50136daf73ea0ec823206505e997cbf035b031e4f6d2

  • SSDEEP

    24576:Mwbdw0IY9Dy8Y7Twhp3XyANDB/EVCpIwtwjzSnRHLHU+mJpSaGchS9dVMF:LbdR9nY7UhZXyAlB/EsWjjzSRL0hSaTv

Score
10/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe
        "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Human Human.cmd & Human.cmd & exit
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2112
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2836
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 437268
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2760
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "ALBUQUERQUEPROGRAMWAREHOUSECAKE" Boolean
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2752
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Answered + Host + Stanford + Tx + Preliminary + Robin + Assigned + Pace 437268\x
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2900
          • C:\Users\Admin\AppData\Local\Temp\437268\Advertising.pif
            Advertising.pif x
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2924
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1248
      • C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\437268\x
      Filesize

      521KB

      MD5

      54935f2d381419ff2a78eeeee06f124a

      SHA1

      64d2866aa20a8497c20617335a7c4ef8e94713b0

      SHA256

      3081fabaafbd97209062f28ede906db57343c2b37536aa59cc758f9b1c63bb2f

      SHA512

      fb208c8dba2c8b7cefd1021cf899a6de97a0f6d77ad8aad364a721ac0545cbd5ad1a150841f4c010fc706b5e1d9185d27a2f557aeb4b7f931abe3782f5dcf988

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Answered
      Filesize

      73KB

      MD5

      97adaa18ffc9c3d996afaf7a6ec33653

      SHA1

      03b1cbf5eeee43979be369f33302046355240fb0

      SHA256

      0ea70b8295a8956b5d10d879c31bd9bc604a144e0cad65d8bde9de35cfcb16c4

      SHA512

      9648b3f2a242120c1407e488a5bd55f5f8778c715e0ebca0aaba38ffc4e0963d2bd04909871dc401f6ca184d15cc10acf4af180b286d85f67a938d128d7b5923

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Assigned
      Filesize

      67KB

      MD5

      9d40f058fdc30184edfe90dc4a0fdceb

      SHA1

      2447b25ad8e6955800e50beeb0d66b5f255d4a86

      SHA256

      f9b5c859ad213537f5ea7bfdfa030931dd886370c9125225220d1f98fe14cc09

      SHA512

      ccc7396b37b38102575b91be9e4b14a3b9b3992c3c17c1039b20959250161142123e6988fec9d49ae29f2ff0d14b51c897b671e12cffb0083f1546edd3123603

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Boolean
      Filesize

      688B

      MD5

      c8343e4d4a3cf84eb8e0c47a2dabc5ec

      SHA1

      301a109cc2c2a8ca1d57220b939729943bc40bbd

      SHA256

      1f0ebb116b1637d77a21af5de4b3e15e5453da3c9b99e5d12fb30384d07cfea5

      SHA512

      ff5fbc31f7512c8fdb5cf6a4a9f59e0bb860e49685e85bd0ca69c49627487cc083a3ec7e8d5704e264ad1cd565334c3edd3826a0db2149c42b8959c0e905e672

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9C13.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Host
      Filesize

      85KB

      MD5

      cd68a678e3a100924b8cbf1a134d0929

      SHA1

      8b5660f54e27eb1736957e36a149c0260723d49c

      SHA256

      36784dea2b715f38c63b729041e4655f7f692f468544ac41c670054eaeef20d8

      SHA512

      be207886f61b1ee62877ab554214295316cf3ed1ab4a519e0cff8b2983f8fa7edf0346499049b10cd39d9a7e2b8254fd540cfd9b07a812773fb489470d0de82c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Human
      Filesize

      18KB

      MD5

      80c4e29f7b71ecbccdf17c85d427b844

      SHA1

      8872c66cab7af03c6fadc4137cd21c35d7ba7f38

      SHA256

      5429064444a98f21b87d04504b5df4a91455963d57045939a10c74f0c84205fe

      SHA512

      02d91ba93872f75d0801cd902498e4ef67b0ef61696663248b7921a2491aace324d6307e2fdbfe12e824dca8837a2429e40e7b00346fc67a80d36bd4786ee025

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Pace
      Filesize

      9KB

      MD5

      4302ae9f4ea3cd4fb3606c3303ad3c8b

      SHA1

      67ae7ffe00f2d115366b2dc8f7c7caa60bc59c24

      SHA256

      2b6efcacc38da7e3ad0649fef365bda8d86ae2478a89e17718e1a4348a96fb39

      SHA512

      378cb70c923bf345e8557de2b31fcf556d1bb8bb4801ec27b2a07a3b8ec41d13df6d82c4dfe8ed54ba136613e112cb9ba4e0d9bdd38a60250b7f79941625f032

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Preliminary
      Filesize

      71KB

      MD5

      a24ae96aa07d2c6aa892d61b91cb67f4

      SHA1

      cb49945d3df932bef9c766beef4c10e5b64f537e

      SHA256

      92cb3787e4a6adf3c852e0d2912fcc7ad303fc5d7a40eee099e0b96816c952f5

      SHA512

      040216c7c60dca98db8d32229119bbbe9b584abc172411a906361dfc19f4d6bb7603e0a9d79e294af2e45a4a5596e026c9496193d9b562091558f9926b20fae7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Publicity
      Filesize

      872KB

      MD5

      37fc3cb2afe89c2b51ad51a47b33cc53

      SHA1

      56fd188aae2fa038f057f60275dde9a046f0533e

      SHA256

      03b38f0cc6992b44f5720942c3372455d4cb0413dfe3b0e3653e0fba9b13fdb0

      SHA512

      df98e9c6b6c65bade4ce26ebb71baa6e827781b782f1417eac0b132c2b298a57dbf211ad91900cbf92a069246222c5d69cc6d007426714d705d494682c9e2145

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Robin
      Filesize

      81KB

      MD5

      391d4d820de03014072c2c4c88e217c1

      SHA1

      ea3834fb6dcae5087a915d0e21faedfd2a92d0c1

      SHA256

      3f552d11b921f330efa8609e7fc8d93fb5e8a27cb4f7d937732f50e32808b745

      SHA512

      57f0bba7cdadbe96076ec1a37f9823f06ee6a54d7bd4f3812e85e546cc7f21f4adfaebed927cae6b834a3ab2cb3cb612ffb63cb821294650bedf807b0d2298ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stanford
      Filesize

      83KB

      MD5

      1ad66e0cb95fd94c2b869eb2cc5a3e3c

      SHA1

      a049032f248d540811e38762bee68b70b6b9f3b4

      SHA256

      42eb2efe711c0e49933438dbf18d354df4dd77510d1aecb8797848d780fda2d7

      SHA512

      ae757e4efaf55f090bed7d5842af81e340c0e0317f95720fb6723457bf4b98f7b16911aa59aa40fefd1d083c44bccc0fe372f81f5097585e7987f001ab0f66ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tx
      Filesize

      52KB

      MD5

      95cf5e412db3715a766f9427f6b8391e

      SHA1

      6aec9064f647d39d3299e8d4409b96e1956a5e41

      SHA256

      11f782678e3eb3126e6c7ad84f900e3d66c7fbaacbd46e7973599007d39f235e

      SHA512

      d2a99112b2e4b27bca0477f41a656066c7d633559315a259e75cb1a82d5c26fb7305a156d64a9ae5bfaecfb131a16e24b902a6d59e4cd905a0b84ec4c7421186

      Download Submit

    • \Users\Admin\AppData\Local\Temp\437268\Advertising.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
      Filesize

      63KB

      MD5

      b58b926c3574d28d5b7fdd2ca3ec30d5

      SHA1

      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

      SHA256

      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

      SHA512

      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

      Download Submit

    • memory/2372-35-0x00000000000D0000-0x0000000000130000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-38-0x00000000000D0000-0x0000000000130000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-37-0x00000000000D0000-0x0000000000130000-memory.dmp

      Filesize

      384KB

      Download