Overview
overview
10Static
static
3S0laradD/S0LaraV.exe
windows7-x64
10S0laradD/S0LaraV.exe
windows10-2004-x64
10S0laradD/libEGL.dll
windows7-x64
1S0laradD/libEGL.dll
windows10-2004-x64
1S0laradD/l...de.ps1
windows7-x64
3S0laradD/l...de.ps1
windows10-2004-x64
3S0laradD/l...m.html
windows7-x64
3S0laradD/l...m.html
windows10-2004-x64
3S0laradD/l...ng.dll
windows7-x64
1S0laradD/l...ng.dll
windows10-2004-x64
1S0laradD/l...ng.dll
windows7-x64
1S0laradD/l...ng.dll
windows10-2004-x64
1S0laradD/l...ng.dll
windows7-x64
1S0laradD/l...ng.dll
windows10-2004-x64
1S0laradD/l...47.dll
windows10-2004-x64
1S0laradD/l...de.ps1
windows7-x64
3S0laradD/l...de.ps1
windows10-2004-x64
3S0laradD/l...eg.dll
windows7-x64
1S0laradD/l...eg.dll
windows10-2004-x64
1S0laradD/l....1.dll
windows7-x64
1S0laradD/l....1.dll
windows10-2004-x64
1S0laradD/l...er.dll
windows7-x64
1S0laradD/l...er.dll
windows10-2004-x64
1S0laradD/l...-1.dll
windows7-x64
1S0laradD/l...-1.dll
windows10-2004-x64
1Analysis
-
max time kernel
70s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
S0laradD/S0LaraV.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
S0laradD/S0LaraV.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
S0laradD/libEGL.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
S0laradD/libEGL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
S0laradD/locales/locales/de.ps1
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
S0laradD/locales/locales/de.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
S0laradD/locales/resources/LICENSES.chromium.html
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
S0laradD/locales/resources/LICENSES.chromium.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
S0laradD/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
S0laradD/locales/resources/d3dcompiler_47.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
S0laradD/locales/resources/de.ps1
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
S0laradD/locales/resources/de.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
S0laradD/locales/resources/ffmpeg.dll
Resource
win7-20240729-en
Behavioral task
behavioral19
Sample
S0laradD/locales/resources/ffmpeg.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
S0laradD/locales/resources/mkl_mc3.1.dll
Resource
win7-20240708-en
Behavioral task
behavioral21
Sample
S0laradD/locales/resources/mkl_mc3.1.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
S0laradD/locales/resources/vk_swiftshader.dll
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
S0laradD/locales/resources/vk_swiftshader.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
S0laradD/locales/resources/vulkan-1.dll
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
S0laradD/locales/resources/vulkan-1.dll
Resource
win10v2004-20240802-en
General
-
Target
S0laradD/S0LaraV.exe
-
Size
1.4MB
-
MD5
94f25f446b0b21ffd82fd8b219c7a86f
-
SHA1
50ba95c6e5f0960f5cec57047376f8f11192afdc
-
SHA256
b297d84e4632df8b18e650e51928e05789179cd364efe12411e8aeb4f77ba7e7
-
SHA512
18c08c452d5441aad7c0dc98fcfc6a1213a8a159ea5a5eff9d413c96dccf10eb8195e56c304ffebf8b3e50136daf73ea0ec823206505e997cbf035b031e4f6d2
-
SSDEEP
24576:Mwbdw0IY9Dy8Y7Twhp3XyANDB/EVCpIwtwjzSnRHLHU+mJpSaGchS9dVMF:LbdR9nY7UhZXyAlB/EsWjjzSRL0hSaTv
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2924 created 1208 2924 Advertising.pif 20 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 2 IoCs
pid Process 2924 Advertising.pif 2372 RegAsm.exe -
Loads dropped DLL 3 IoCs
pid Process 2948 cmd.exe 2924 Advertising.pif 2372 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2392 tasklist.exe 2824 tasklist.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\GraveElectricity S0LaraV.exe File opened for modification C:\Windows\ResistanceSubsection S0LaraV.exe File opened for modification C:\Windows\JunkSuspect S0LaraV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0LaraV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Advertising.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2924 Advertising.pif 2924 Advertising.pif 2924 Advertising.pif 2924 Advertising.pif 2924 Advertising.pif 2372 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2392 tasklist.exe Token: SeDebugPrivilege 2824 tasklist.exe Token: SeDebugPrivilege 2372 RegAsm.exe Token: SeBackupPrivilege 2372 RegAsm.exe Token: SeSecurityPrivilege 2372 RegAsm.exe Token: SeSecurityPrivilege 2372 RegAsm.exe Token: SeSecurityPrivilege 2372 RegAsm.exe Token: SeSecurityPrivilege 2372 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2924 Advertising.pif 2924 Advertising.pif 2924 Advertising.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2924 Advertising.pif 2924 Advertising.pif 2924 Advertising.pif -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2948 3008 S0LaraV.exe 29 PID 3008 wrote to memory of 2948 3008 S0LaraV.exe 29 PID 3008 wrote to memory of 2948 3008 S0LaraV.exe 29 PID 3008 wrote to memory of 2948 3008 S0LaraV.exe 29 PID 2948 wrote to memory of 2392 2948 cmd.exe 31 PID 2948 wrote to memory of 2392 2948 cmd.exe 31 PID 2948 wrote to memory of 2392 2948 cmd.exe 31 PID 2948 wrote to memory of 2392 2948 cmd.exe 31 PID 2948 wrote to memory of 2112 2948 cmd.exe 32 PID 2948 wrote to memory of 2112 2948 cmd.exe 32 PID 2948 wrote to memory of 2112 2948 cmd.exe 32 PID 2948 wrote to memory of 2112 2948 cmd.exe 32 PID 2948 wrote to memory of 2824 2948 cmd.exe 34 PID 2948 wrote to memory of 2824 2948 cmd.exe 34 PID 2948 wrote to memory of 2824 2948 cmd.exe 34 PID 2948 wrote to memory of 2824 2948 cmd.exe 34 PID 2948 wrote to memory of 2836 2948 cmd.exe 35 PID 2948 wrote to memory of 2836 2948 cmd.exe 35 PID 2948 wrote to memory of 2836 2948 cmd.exe 35 PID 2948 wrote to memory of 2836 2948 cmd.exe 35 PID 2948 wrote to memory of 2760 2948 cmd.exe 36 PID 2948 wrote to memory of 2760 2948 cmd.exe 36 PID 2948 wrote to memory of 2760 2948 cmd.exe 36 PID 2948 wrote to memory of 2760 2948 cmd.exe 36 PID 2948 wrote to memory of 2752 2948 cmd.exe 37 PID 2948 wrote to memory of 2752 2948 cmd.exe 37 PID 2948 wrote to memory of 2752 2948 cmd.exe 37 PID 2948 wrote to memory of 2752 2948 cmd.exe 37 PID 2948 wrote to memory of 2900 2948 cmd.exe 38 PID 2948 wrote to memory of 2900 2948 cmd.exe 38 PID 2948 wrote to memory of 2900 2948 cmd.exe 38 PID 2948 wrote to memory of 2900 2948 cmd.exe 38 PID 2948 wrote to memory of 2924 2948 cmd.exe 39 PID 2948 wrote to memory of 2924 2948 cmd.exe 39 PID 2948 wrote to memory of 2924 2948 cmd.exe 39 PID 2948 wrote to memory of 2924 2948 cmd.exe 39 PID 2948 wrote to memory of 1248 2948 cmd.exe 40 PID 2948 wrote to memory of 1248 2948 cmd.exe 40 PID 2948 wrote to memory of 1248 2948 cmd.exe 40 PID 2948 wrote to memory of 1248 2948 cmd.exe 40 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41 PID 2924 wrote to memory of 2372 2924 Advertising.pif 41
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe"C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Human Human.cmd & Human.cmd & exit3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4372684⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ALBUQUERQUEPROGRAMWAREHOUSECAKE" Boolean4⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Answered + Host + Stanford + Tx + Preliminary + Robin + Assigned + Pace 437268\x4⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\437268\Advertising.pifAdvertising.pif x4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:1248
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD554935f2d381419ff2a78eeeee06f124a
SHA164d2866aa20a8497c20617335a7c4ef8e94713b0
SHA2563081fabaafbd97209062f28ede906db57343c2b37536aa59cc758f9b1c63bb2f
SHA512fb208c8dba2c8b7cefd1021cf899a6de97a0f6d77ad8aad364a721ac0545cbd5ad1a150841f4c010fc706b5e1d9185d27a2f557aeb4b7f931abe3782f5dcf988
-
Filesize
73KB
MD597adaa18ffc9c3d996afaf7a6ec33653
SHA103b1cbf5eeee43979be369f33302046355240fb0
SHA2560ea70b8295a8956b5d10d879c31bd9bc604a144e0cad65d8bde9de35cfcb16c4
SHA5129648b3f2a242120c1407e488a5bd55f5f8778c715e0ebca0aaba38ffc4e0963d2bd04909871dc401f6ca184d15cc10acf4af180b286d85f67a938d128d7b5923
-
Filesize
67KB
MD59d40f058fdc30184edfe90dc4a0fdceb
SHA12447b25ad8e6955800e50beeb0d66b5f255d4a86
SHA256f9b5c859ad213537f5ea7bfdfa030931dd886370c9125225220d1f98fe14cc09
SHA512ccc7396b37b38102575b91be9e4b14a3b9b3992c3c17c1039b20959250161142123e6988fec9d49ae29f2ff0d14b51c897b671e12cffb0083f1546edd3123603
-
Filesize
688B
MD5c8343e4d4a3cf84eb8e0c47a2dabc5ec
SHA1301a109cc2c2a8ca1d57220b939729943bc40bbd
SHA2561f0ebb116b1637d77a21af5de4b3e15e5453da3c9b99e5d12fb30384d07cfea5
SHA512ff5fbc31f7512c8fdb5cf6a4a9f59e0bb860e49685e85bd0ca69c49627487cc083a3ec7e8d5704e264ad1cd565334c3edd3826a0db2149c42b8959c0e905e672
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
85KB
MD5cd68a678e3a100924b8cbf1a134d0929
SHA18b5660f54e27eb1736957e36a149c0260723d49c
SHA25636784dea2b715f38c63b729041e4655f7f692f468544ac41c670054eaeef20d8
SHA512be207886f61b1ee62877ab554214295316cf3ed1ab4a519e0cff8b2983f8fa7edf0346499049b10cd39d9a7e2b8254fd540cfd9b07a812773fb489470d0de82c
-
Filesize
18KB
MD580c4e29f7b71ecbccdf17c85d427b844
SHA18872c66cab7af03c6fadc4137cd21c35d7ba7f38
SHA2565429064444a98f21b87d04504b5df4a91455963d57045939a10c74f0c84205fe
SHA51202d91ba93872f75d0801cd902498e4ef67b0ef61696663248b7921a2491aace324d6307e2fdbfe12e824dca8837a2429e40e7b00346fc67a80d36bd4786ee025
-
Filesize
9KB
MD54302ae9f4ea3cd4fb3606c3303ad3c8b
SHA167ae7ffe00f2d115366b2dc8f7c7caa60bc59c24
SHA2562b6efcacc38da7e3ad0649fef365bda8d86ae2478a89e17718e1a4348a96fb39
SHA512378cb70c923bf345e8557de2b31fcf556d1bb8bb4801ec27b2a07a3b8ec41d13df6d82c4dfe8ed54ba136613e112cb9ba4e0d9bdd38a60250b7f79941625f032
-
Filesize
71KB
MD5a24ae96aa07d2c6aa892d61b91cb67f4
SHA1cb49945d3df932bef9c766beef4c10e5b64f537e
SHA25692cb3787e4a6adf3c852e0d2912fcc7ad303fc5d7a40eee099e0b96816c952f5
SHA512040216c7c60dca98db8d32229119bbbe9b584abc172411a906361dfc19f4d6bb7603e0a9d79e294af2e45a4a5596e026c9496193d9b562091558f9926b20fae7
-
Filesize
872KB
MD537fc3cb2afe89c2b51ad51a47b33cc53
SHA156fd188aae2fa038f057f60275dde9a046f0533e
SHA25603b38f0cc6992b44f5720942c3372455d4cb0413dfe3b0e3653e0fba9b13fdb0
SHA512df98e9c6b6c65bade4ce26ebb71baa6e827781b782f1417eac0b132c2b298a57dbf211ad91900cbf92a069246222c5d69cc6d007426714d705d494682c9e2145
-
Filesize
81KB
MD5391d4d820de03014072c2c4c88e217c1
SHA1ea3834fb6dcae5087a915d0e21faedfd2a92d0c1
SHA2563f552d11b921f330efa8609e7fc8d93fb5e8a27cb4f7d937732f50e32808b745
SHA51257f0bba7cdadbe96076ec1a37f9823f06ee6a54d7bd4f3812e85e546cc7f21f4adfaebed927cae6b834a3ab2cb3cb612ffb63cb821294650bedf807b0d2298ab
-
Filesize
83KB
MD51ad66e0cb95fd94c2b869eb2cc5a3e3c
SHA1a049032f248d540811e38762bee68b70b6b9f3b4
SHA25642eb2efe711c0e49933438dbf18d354df4dd77510d1aecb8797848d780fda2d7
SHA512ae757e4efaf55f090bed7d5842af81e340c0e0317f95720fb6723457bf4b98f7b16911aa59aa40fefd1d083c44bccc0fe372f81f5097585e7987f001ab0f66ea
-
Filesize
52KB
MD595cf5e412db3715a766f9427f6b8391e
SHA16aec9064f647d39d3299e8d4409b96e1956a5e41
SHA25611f782678e3eb3126e6c7ad84f900e3d66c7fbaacbd46e7973599007d39f235e
SHA512d2a99112b2e4b27bca0477f41a656066c7d633559315a259e75cb1a82d5c26fb7305a156d64a9ae5bfaecfb131a16e24b902a6d59e4cd905a0b84ec4c7421186
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab