Overview

overview

10

Static

static

3

S0laradD/S0LaraV.exe

windows7-x64

10

S0laradD/S0LaraV.exe

windows10-2004-x64

10

S0laradD/libEGL.dll

windows7-x64

1

S0laradD/libEGL.dll

windows10-2004-x64

1

S0laradD/l...de.ps1

windows7-x64

3

S0laradD/l...de.ps1

windows10-2004-x64

3

S0laradD/l...m.html

windows7-x64

3

S0laradD/l...m.html

windows10-2004-x64

3

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...ng.dll

windows7-x64

1

S0laradD/l...ng.dll

windows10-2004-x64

1

S0laradD/l...47.dll

windows10-2004-x64

1

S0laradD/l...de.ps1

windows7-x64

3

S0laradD/l...de.ps1

windows10-2004-x64

3

S0laradD/l...eg.dll

windows7-x64

1

S0laradD/l...eg.dll

windows10-2004-x64

1

S0laradD/l....1.dll

windows7-x64

1

S0laradD/l....1.dll

windows10-2004-x64

1

S0laradD/l...er.dll

windows7-x64

1

S0laradD/l...er.dll

windows10-2004-x64

1

S0laradD/l...-1.dll

windows7-x64

1

S0laradD/l...-1.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S0laradD/S0LaraV.exe

  • Size

    1.4MB

  • MD5

    94f25f446b0b21ffd82fd8b219c7a86f

  • SHA1

    50ba95c6e5f0960f5cec57047376f8f11192afdc

  • SHA256

    b297d84e4632df8b18e650e51928e05789179cd364efe12411e8aeb4f77ba7e7

  • SHA512

    18c08c452d5441aad7c0dc98fcfc6a1213a8a159ea5a5eff9d413c96dccf10eb8195e56c304ffebf8b3e50136daf73ea0ec823206505e997cbf035b031e4f6d2

  • SSDEEP

    24576:Mwbdw0IY9Dy8Y7Twhp3XyANDB/EVCpIwtwjzSnRHLHU+mJpSaGchS9dVMF:LbdR9nY7UhZXyAlB/EsWjjzSRL0hSaTv

Score
10/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe
        "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0LaraV.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Human Human.cmd & Human.cmd & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4696
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4884
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 437268
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2316
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "ALBUQUERQUEPROGRAMWAREHOUSECAKE" Boolean
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4504
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Answered + Host + Stanford + Tx + Preliminary + Robin + Assigned + Pace 437268\x
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2948
          • C:\Users\Admin\AppData\Local\Temp\437268\Advertising.pif
            Advertising.pif x
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4060
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1672
      • C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\437268\Advertising.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\437268\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\437268\x
      Filesize

      521KB

      MD5

      54935f2d381419ff2a78eeeee06f124a

      SHA1

      64d2866aa20a8497c20617335a7c4ef8e94713b0

      SHA256

      3081fabaafbd97209062f28ede906db57343c2b37536aa59cc758f9b1c63bb2f

      SHA512

      fb208c8dba2c8b7cefd1021cf899a6de97a0f6d77ad8aad364a721ac0545cbd5ad1a150841f4c010fc706b5e1d9185d27a2f557aeb4b7f931abe3782f5dcf988

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Answered
      Filesize

      73KB

      MD5

      97adaa18ffc9c3d996afaf7a6ec33653

      SHA1

      03b1cbf5eeee43979be369f33302046355240fb0

      SHA256

      0ea70b8295a8956b5d10d879c31bd9bc604a144e0cad65d8bde9de35cfcb16c4

      SHA512

      9648b3f2a242120c1407e488a5bd55f5f8778c715e0ebca0aaba38ffc4e0963d2bd04909871dc401f6ca184d15cc10acf4af180b286d85f67a938d128d7b5923

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Assigned
      Filesize

      67KB

      MD5

      9d40f058fdc30184edfe90dc4a0fdceb

      SHA1

      2447b25ad8e6955800e50beeb0d66b5f255d4a86

      SHA256

      f9b5c859ad213537f5ea7bfdfa030931dd886370c9125225220d1f98fe14cc09

      SHA512

      ccc7396b37b38102575b91be9e4b14a3b9b3992c3c17c1039b20959250161142123e6988fec9d49ae29f2ff0d14b51c897b671e12cffb0083f1546edd3123603

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Boolean
      Filesize

      688B

      MD5

      c8343e4d4a3cf84eb8e0c47a2dabc5ec

      SHA1

      301a109cc2c2a8ca1d57220b939729943bc40bbd

      SHA256

      1f0ebb116b1637d77a21af5de4b3e15e5453da3c9b99e5d12fb30384d07cfea5

      SHA512

      ff5fbc31f7512c8fdb5cf6a4a9f59e0bb860e49685e85bd0ca69c49627487cc083a3ec7e8d5704e264ad1cd565334c3edd3826a0db2149c42b8959c0e905e672

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Host
      Filesize

      85KB

      MD5

      cd68a678e3a100924b8cbf1a134d0929

      SHA1

      8b5660f54e27eb1736957e36a149c0260723d49c

      SHA256

      36784dea2b715f38c63b729041e4655f7f692f468544ac41c670054eaeef20d8

      SHA512

      be207886f61b1ee62877ab554214295316cf3ed1ab4a519e0cff8b2983f8fa7edf0346499049b10cd39d9a7e2b8254fd540cfd9b07a812773fb489470d0de82c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Human
      Filesize

      18KB

      MD5

      80c4e29f7b71ecbccdf17c85d427b844

      SHA1

      8872c66cab7af03c6fadc4137cd21c35d7ba7f38

      SHA256

      5429064444a98f21b87d04504b5df4a91455963d57045939a10c74f0c84205fe

      SHA512

      02d91ba93872f75d0801cd902498e4ef67b0ef61696663248b7921a2491aace324d6307e2fdbfe12e824dca8837a2429e40e7b00346fc67a80d36bd4786ee025

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Pace
      Filesize

      9KB

      MD5

      4302ae9f4ea3cd4fb3606c3303ad3c8b

      SHA1

      67ae7ffe00f2d115366b2dc8f7c7caa60bc59c24

      SHA256

      2b6efcacc38da7e3ad0649fef365bda8d86ae2478a89e17718e1a4348a96fb39

      SHA512

      378cb70c923bf345e8557de2b31fcf556d1bb8bb4801ec27b2a07a3b8ec41d13df6d82c4dfe8ed54ba136613e112cb9ba4e0d9bdd38a60250b7f79941625f032

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Preliminary
      Filesize

      71KB

      MD5

      a24ae96aa07d2c6aa892d61b91cb67f4

      SHA1

      cb49945d3df932bef9c766beef4c10e5b64f537e

      SHA256

      92cb3787e4a6adf3c852e0d2912fcc7ad303fc5d7a40eee099e0b96816c952f5

      SHA512

      040216c7c60dca98db8d32229119bbbe9b584abc172411a906361dfc19f4d6bb7603e0a9d79e294af2e45a4a5596e026c9496193d9b562091558f9926b20fae7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Publicity
      Filesize

      872KB

      MD5

      37fc3cb2afe89c2b51ad51a47b33cc53

      SHA1

      56fd188aae2fa038f057f60275dde9a046f0533e

      SHA256

      03b38f0cc6992b44f5720942c3372455d4cb0413dfe3b0e3653e0fba9b13fdb0

      SHA512

      df98e9c6b6c65bade4ce26ebb71baa6e827781b782f1417eac0b132c2b298a57dbf211ad91900cbf92a069246222c5d69cc6d007426714d705d494682c9e2145

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Robin
      Filesize

      81KB

      MD5

      391d4d820de03014072c2c4c88e217c1

      SHA1

      ea3834fb6dcae5087a915d0e21faedfd2a92d0c1

      SHA256

      3f552d11b921f330efa8609e7fc8d93fb5e8a27cb4f7d937732f50e32808b745

      SHA512

      57f0bba7cdadbe96076ec1a37f9823f06ee6a54d7bd4f3812e85e546cc7f21f4adfaebed927cae6b834a3ab2cb3cb612ffb63cb821294650bedf807b0d2298ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stanford
      Filesize

      83KB

      MD5

      1ad66e0cb95fd94c2b869eb2cc5a3e3c

      SHA1

      a049032f248d540811e38762bee68b70b6b9f3b4

      SHA256

      42eb2efe711c0e49933438dbf18d354df4dd77510d1aecb8797848d780fda2d7

      SHA512

      ae757e4efaf55f090bed7d5842af81e340c0e0317f95720fb6723457bf4b98f7b16911aa59aa40fefd1d083c44bccc0fe372f81f5097585e7987f001ab0f66ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tx
      Filesize

      52KB

      MD5

      95cf5e412db3715a766f9427f6b8391e

      SHA1

      6aec9064f647d39d3299e8d4409b96e1956a5e41

      SHA256

      11f782678e3eb3126e6c7ad84f900e3d66c7fbaacbd46e7973599007d39f235e

      SHA512

      d2a99112b2e4b27bca0477f41a656066c7d633559315a259e75cb1a82d5c26fb7305a156d64a9ae5bfaecfb131a16e24b902a6d59e4cd905a0b84ec4c7421186

      Download Submit

    • memory/1052-37-0x0000000008680000-0x0000000008C98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1052-40-0x0000000008170000-0x00000000081AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1052-35-0x0000000004F60000-0x0000000004FF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1052-36-0x0000000005020000-0x000000000502A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1052-31-0x0000000000900000-0x0000000000960000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1052-38-0x00000000081E0000-0x00000000082EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1052-39-0x0000000008110000-0x0000000008122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1052-34-0x0000000005430000-0x00000000059D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1052-41-0x00000000082F0000-0x000000000833C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1052-42-0x0000000008D10000-0x0000000008D76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1052-43-0x0000000009200000-0x0000000009276000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1052-44-0x00000000091A0000-0x00000000091BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1052-45-0x0000000009A80000-0x0000000009C42000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1052-46-0x000000000A180000-0x000000000A6AC000-memory.dmp

      Filesize

      5.2MB

      Download