cbb42eaaddfd95d52e8a961d5689bb93d3073a79ce7704012e8442d0a3a8e2ba

Analysis

max time kernel
36s
max time network
40s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara/Solara/SolaraV2.exe
Size

23.0MB
MD5

f8df38b9c3e3623d532963d19fbd9aef
SHA1

2ee2d919d64ab6d7f0f1f9758cb93a40b209893e
SHA256

3edb793c12e214934185468759e37d9735deb7cdc70cab88d1e25a5ee986eb01
SHA512

a2487d9f1a7cce0aa49175c14cf9febbc68bf6f6bd559dc92c554b51eea4427c9caec7ddaffc7177b0cbc7600452ce79e44897e84bfc3ee9dc9183e01a7bb4c2
SSDEEP

24576:upZHY7WrA+vr7mXoLDEQmzlVjrRRUutP9L8g21FirU2rwMGBCF9W7W:GHY7WUSmXoLDEQ8TRKmPY1FirEXC7

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1520 created 1344	1520	Argument.pif	20

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
1520	Argument.pif
1160	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	cmd.exe
1520	Argument.pif
1160	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2296	tasklist.exe
2896	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GraceProt	SolaraV2.exe
File opened for modification	C:\Windows\MarkingRational	SolaraV2.exe
File opened for modification	C:\Windows\CalendarLogistics	SolaraV2.exe
File opened for modification	C:\Windows\OnlyDot	SolaraV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Argument.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1520	Argument.pif
1520	Argument.pif
1520	Argument.pif
1520	Argument.pif
1520	Argument.pif
1160	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	tasklist.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	1160	RegAsm.exe
Token: SeBackupPrivilege	1160	RegAsm.exe
Token: SeSecurityPrivilege	1160	RegAsm.exe
Token: SeSecurityPrivilege	1160	RegAsm.exe
Token: SeSecurityPrivilege	1160	RegAsm.exe
Token: SeSecurityPrivilege	1160	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1520	Argument.pif
1520	Argument.pif
1520	Argument.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1520	Argument.pif
1520	Argument.pif
1520	Argument.pif

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2776	2132	SolaraV2.exe	29
PID 2132 wrote to memory of 2776	2132	SolaraV2.exe	29
PID 2132 wrote to memory of 2776	2132	SolaraV2.exe	29
PID 2132 wrote to memory of 2776	2132	SolaraV2.exe	29
PID 2776 wrote to memory of 2296	2776	cmd.exe	31
PID 2776 wrote to memory of 2296	2776	cmd.exe	31
PID 2776 wrote to memory of 2296	2776	cmd.exe	31
PID 2776 wrote to memory of 2296	2776	cmd.exe	31
PID 2776 wrote to memory of 2788	2776	cmd.exe	32
PID 2776 wrote to memory of 2788	2776	cmd.exe	32
PID 2776 wrote to memory of 2788	2776	cmd.exe	32
PID 2776 wrote to memory of 2788	2776	cmd.exe	32
PID 2776 wrote to memory of 2896	2776	cmd.exe	34
PID 2776 wrote to memory of 2896	2776	cmd.exe	34
PID 2776 wrote to memory of 2896	2776	cmd.exe	34
PID 2776 wrote to memory of 2896	2776	cmd.exe	34
PID 2776 wrote to memory of 2336	2776	cmd.exe	35
PID 2776 wrote to memory of 2336	2776	cmd.exe	35
PID 2776 wrote to memory of 2336	2776	cmd.exe	35
PID 2776 wrote to memory of 2336	2776	cmd.exe	35
PID 2776 wrote to memory of 2800	2776	cmd.exe	36
PID 2776 wrote to memory of 2800	2776	cmd.exe	36
PID 2776 wrote to memory of 2800	2776	cmd.exe	36
PID 2776 wrote to memory of 2800	2776	cmd.exe	36
PID 2776 wrote to memory of 2808	2776	cmd.exe	37
PID 2776 wrote to memory of 2808	2776	cmd.exe	37
PID 2776 wrote to memory of 2808	2776	cmd.exe	37
PID 2776 wrote to memory of 2808	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	38
PID 2776 wrote to memory of 2636	2776	cmd.exe	38
PID 2776 wrote to memory of 2636	2776	cmd.exe	38
PID 2776 wrote to memory of 2636	2776	cmd.exe	38
PID 2776 wrote to memory of 1520	2776	cmd.exe	39
PID 2776 wrote to memory of 1520	2776	cmd.exe	39
PID 2776 wrote to memory of 1520	2776	cmd.exe	39
PID 2776 wrote to memory of 1520	2776	cmd.exe	39
PID 2776 wrote to memory of 1056	2776	cmd.exe	40
PID 2776 wrote to memory of 1056	2776	cmd.exe	40
PID 2776 wrote to memory of 1056	2776	cmd.exe	40
PID 2776 wrote to memory of 1056	2776	cmd.exe	40
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41
PID 1520 wrote to memory of 1160	1520	Argument.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraV2.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraV2.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Representations Representations.cmd & Representations.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 691653
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "IssuesGriffinChildrenModelling" Animal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Bolt + Inexpensive + Wellington + Fleet + Telescope + Graphic + Consistent + Dr + Park + Proven 691653\F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\691653\Argument.pif
      Argument.pif F
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1520
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
- C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\691653\F

Filesize
685KB

MD5
5ea43da01aba98003a6abbac210aff8f

SHA1
5507e8a1a6264e0d88c3226b0b6259e92b65a219

SHA256
82d13a43681c9e64083c3b818b537bd7471c156fa3462f5378d4023ba7538e38

SHA512
a4c505a31974a1436f0072047cdf30da22e95f815a6cc5f89ab41704df4e13fd97c9dc0982b81d5414ca30a0e45f9ed4f00517fb3442b3f597578086081ec6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Animal

Filesize
692B

MD5
31c1e59569e694098305c7b2d5c8401e

SHA1
762ce052bc83f6f917cb5afe5d354bb279d2b3f8

SHA256
2e439a7e4674589c3e4da070ef4dfe392abf65dac006911ba3aeb54673580abd

SHA512
1604e8b8fe8ada65bcd468d1b6017e70834db5b3dc36ae4d052079a049c58085a072e11115ac66463cb4e6b0f3c87bdccb8b78f460eb6e7d39c7787c1da7e7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bolt

Filesize
70KB

MD5
7ff18f550ee982d1c609f0ac54c59b1c

SHA1
115af2ad5292ca76b85ff4e02263bc7829a64b43

SHA256
60049115790147848413a5b6b5046d2dc7ae038b319bed53749cdbc1fdc23cfc

SHA512
3c00755e5fa75475fec62d19a3cd58ea36294eed6c5cd682ba794819c1cae6eeb3f96aa7e63a382564bb2231af0293afe00064874dca57c3f5423f06dc106234

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF06.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consistent

Filesize
76KB

MD5
66bbd8d50edfa12e57b0af52bc7f456b

SHA1
6c414e8ba8ef8e179eb96a894a75e10c2a943015

SHA256
c02e044b9da1e4edecc37c83c06abe69d6d1178a669fca3f4c78b514b0345f70

SHA512
b4b0c91ec423355481b35ad411f4501b13fc604ed11d7d77960c72de2a7799530053a146b45ef910f7db92e3477831044983cb58990ce0f40dceac53ede39ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dr

Filesize
54KB

MD5
b2ed5751e918601dda9729e8a41f61de

SHA1
b39da18af098fcaae3b4eae5a288054d2d926fe8

SHA256
15e62fb9ba7fcc3100f3232e9d9122d16c41b82be1b5b659662371bc30ee4190

SHA512
698091e2db997a132d093d25e323cf8d0c817827cb46767e9559944aff1e4cc09600734e03eb407d93a257708c440f6d07c09215194473100a68ee9f89de9a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fleet

Filesize
60KB

MD5
ac1f3b21cd1c110fc58d986e4f6f8d8b

SHA1
e6e524b79cf4301876e6b6f4a0b4339dad666ac2

SHA256
2553e041e8540db4da38df68258e72b7c9d1bd01d3ba8df82fdf94bdea6f1e57

SHA512
ef48d88d836f69f372466bfcd9c20ec68dcef4f3a840c0e7fbe0e40af935b652f37da415725b2a295ff96f72f73ffbe2b1961f1ceeeb7971041a021203435071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphic

Filesize
71KB

MD5
9f5e004cc57210c7d4812afd5b37b738

SHA1
8ae7a822e30aebcc0e7dbff3abdbcc68d83bc883

SHA256
9a0dbaad05c54a38059217ea7e14952d669d45dac6ccf6baa37be09c70bb728e

SHA512
a36224c168d8b87ea3c5b4e3dde613fe51ab831215388f1221ef0c4392af003bab4bf2ab250381b2f211bad6eb4432ac694bad9e23585cf5e767d130f44bf73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inexpensive

Filesize
97KB

MD5
a0ea14cdf9d5f5f999fa22e5f14ca09b

SHA1
9b67c5ea6680fb93cbda3fbe332c54a4272e52ee

SHA256
202875f02bd7d4cedf6457ec61db4bf9c32a8ced3cbec4636af8e95163a6b0cc

SHA512
2bd7c9a06ef23f58849c1e2411fce49052c1f59e28af41ad127bc9134430699a73841b8b80f4024d49cea28a17de813790e9c642642651aea680d2f824fdd633

Download Submit
C:\Users\Admin\AppData\Local\Temp\Park

Filesize
55KB

MD5
9a2f7a1099d5c6b8023442986b7d3f63

SHA1
553623dd6c4f4afcf6e4a201c708d6bd23463600

SHA256
09bfb2fc7ea7858f6041a2397f8163bdbdbdc38a8e985467cbff5f845cfb9cfc

SHA512
c5b904906219c920046bdff253c0ec0287dbbcb120915d9d169b312cbcace6bdc1962e4e29dc9242e16e6c59669fac73b02ef63b301d50e5ab44d92ca457c56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proven

Filesize
38KB

MD5
4e3f4efa93dbdf98812171adf2c2152c

SHA1
7d661a6c55a1bfc202946297a1e2e79895d65498

SHA256
8cedffe95d1aa7a6921ecdb2fa837285bc4c692f07df8a00c37083c8c8fc0bba

SHA512
2d47e96f82348a6f779ddc59783c08f5e0f11c2d318d5da52bb4f11b694399ec6e5276f09d6bbce8973bfb230e7b042c57957f89b6b448e9a2a6d5cd9d0bb1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Representations

Filesize
29KB

MD5
df007300e1a7a92b49244a15ad6bd975

SHA1
8493cca1b5f6fe9e85b9daef895e563d30068bb6

SHA256
20ea6fa491b528191f772e4814a7ebc3a665b526b6149f187d9b71cb9ef72b00

SHA512
298e5d02469a362cf47957918a3bd1a2e9c9e016cf2a47df584d54b8a4e53ec2e4f87254237fc552531444d595a059b5637d87d83f8a79202e4fc321fb9b1943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telescope

Filesize
89KB

MD5
456f4d56c8f909ffcf0ff0a91d8fc1c0

SHA1
2f68d54fb1d7f0c61a6f57ea13fe59ee8870e576

SHA256
4d377450f006468929f4a2c5d9a174816ca42454d2b26f44dc319a80e85a37d3

SHA512
c91fcedfce69080f43e124cc94bcd503b41faeb340ef66cf238bd49d2e145907da4e3f419156e472952135957cd760c924bb0d0f9d995aab55ec387015c11710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viruses

Filesize
872KB

MD5
8ed2e8863c6355ae9a64c291b8af7bec

SHA1
aafc6cb30c6f5f0f0f10c8e9f10107b3614c7d1a

SHA256
0019a1fe0412a33f7d8bc05dd100794ec3bea0680d2b27d330f8ffb2805bbadb

SHA512
1c14dfed9d37e6dd38d5ac3c1e0ca0dba959cfb753681808e1bc98d2c98840ad50dade87e2ae84c0ad1f6aadc417dee3ef11dfa37b864d8588dec1483b297fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wellington

Filesize
75KB

MD5
b93b6fe702a14c19fb76ec5decde645c

SHA1
3e661059f7c9dbddcc7d8b787e11b12e44c78492

SHA256
ed3554d9146977b097a160d1ead6970b958846aab4c2eb693b6a2a47ee1f3796

SHA512
440d8d93db6e8c5e461ad5ebe423a511d911efb135cca33b61cb1729ba4cb07d22c7d609227097c20bc32040d7f69cde716a1fcd8149973de39711678102587b

Download Submit
\Users\Admin\AppData\Local\Temp\691653\Argument.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1160-39-0x0000000000160000-0x00000000001E8000-memory.dmp

Filesize
544KB

Download
memory/1160-41-0x0000000000160000-0x00000000001E8000-memory.dmp

Filesize
544KB

Download
memory/1160-42-0x0000000000160000-0x00000000001E8000-memory.dmp

Filesize
544KB

Download