Overview

overview

10

Static

static

1

Solara.zip

windows7-x64

1

Solara.zip

windows10-2004-x64

1

Solara/Sol...V2.exe

windows7-x64

10

Solara/Sol...V2.exe

windows10-2004-x64

10

Solara/Sol...st.lua

windows7-x64

3

Solara/Sol...st.lua

windows10-2004-x64

3

Solara/Sol...t2.lua

windows7-x64

3

Solara/Sol...t2.lua

windows10-2004-x64

3

Solara/Sol...le.txt

windows7-x64

1

Solara/Sol...le.txt

windows10-2004-x64

1

Solara/Sol...et.txt

windows7-x64

1

Solara/Sol...et.txt

windows10-2004-x64

1

Solara/Sol...le.txt

windows7-x64

1

Solara/Sol...le.txt

windows10-2004-x64

1

Solara/Sol..._1.txt

windows7-x64

1

Solara/Sol..._1.txt

windows10-2004-x64

1

Solara/Sol..._2.txt

windows7-x64

1

Solara/Sol..._2.txt

windows10-2004-x64

1

Solara/Sol...le.txt

windows7-x64

1

Solara/Sol...le.txt

windows10-2004-x64

1

Solara/Sol...le.txt

windows7-x64

1

Solara/Sol...le.txt

windows10-2004-x64

1

Solara/Sol...tefile

windows7-x64

1

Solara/Sol...tefile

windows10-2004-x64

1

Solara/Sol...le.txt

windows7-x64

1

Solara/Sol...le.txt

windows10-2004-x64

1

Solara/Sol...LL.txt

windows7-x64

1

Solara/Sol...LL.txt

windows10-2004-x64

1

Solara/Sol..._FE.iy

windows7-x64

3

Solara/Sol..._FE.iy

windows10-2004-x64

3

Solara/Sol...s.json

windows7-x64

3

Solara/Sol...s.json

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara/Solara/SolaraV2.exe

  • Size

    23.0MB

  • MD5

    f8df38b9c3e3623d532963d19fbd9aef

  • SHA1

    2ee2d919d64ab6d7f0f1f9758cb93a40b209893e

  • SHA256

    3edb793c12e214934185468759e37d9735deb7cdc70cab88d1e25a5ee986eb01

  • SHA512

    a2487d9f1a7cce0aa49175c14cf9febbc68bf6f6bd559dc92c554b51eea4427c9caec7ddaffc7177b0cbc7600452ce79e44897e84bfc3ee9dc9183e01a7bb4c2

  • SSDEEP

    24576:upZHY7WrA+vr7mXoLDEQmzlVjrRRUutP9L8g21FirU2rwMGBCF9W7W:GHY7WUSmXoLDEQ8TRKmPY1FirEXC7

Score
10/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraV2.exe
        "C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraV2.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Representations Representations.cmd & Representations.cmd & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3828
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:760
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2108
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 691653
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4456
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "IssuesGriffinChildrenModelling" Animal
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2148
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Bolt + Inexpensive + Wellington + Fleet + Telescope + Graphic + Consistent + Dr + Park + Proven 691653\F
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5016
          • C:\Users\Admin\AppData\Local\Temp\691653\Argument.pif
            Argument.pif F
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4604
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3584
      • C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\691653\Argument.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\691653\F
      Filesize

      685KB

      MD5

      5ea43da01aba98003a6abbac210aff8f

      SHA1

      5507e8a1a6264e0d88c3226b0b6259e92b65a219

      SHA256

      82d13a43681c9e64083c3b818b537bd7471c156fa3462f5378d4023ba7538e38

      SHA512

      a4c505a31974a1436f0072047cdf30da22e95f815a6cc5f89ab41704df4e13fd97c9dc0982b81d5414ca30a0e45f9ed4f00517fb3442b3f597578086081ec6ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Animal
      Filesize

      692B

      MD5

      31c1e59569e694098305c7b2d5c8401e

      SHA1

      762ce052bc83f6f917cb5afe5d354bb279d2b3f8

      SHA256

      2e439a7e4674589c3e4da070ef4dfe392abf65dac006911ba3aeb54673580abd

      SHA512

      1604e8b8fe8ada65bcd468d1b6017e70834db5b3dc36ae4d052079a049c58085a072e11115ac66463cb4e6b0f3c87bdccb8b78f460eb6e7d39c7787c1da7e7e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Bolt
      Filesize

      70KB

      MD5

      7ff18f550ee982d1c609f0ac54c59b1c

      SHA1

      115af2ad5292ca76b85ff4e02263bc7829a64b43

      SHA256

      60049115790147848413a5b6b5046d2dc7ae038b319bed53749cdbc1fdc23cfc

      SHA512

      3c00755e5fa75475fec62d19a3cd58ea36294eed6c5cd682ba794819c1cae6eeb3f96aa7e63a382564bb2231af0293afe00064874dca57c3f5423f06dc106234

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Consistent
      Filesize

      76KB

      MD5

      66bbd8d50edfa12e57b0af52bc7f456b

      SHA1

      6c414e8ba8ef8e179eb96a894a75e10c2a943015

      SHA256

      c02e044b9da1e4edecc37c83c06abe69d6d1178a669fca3f4c78b514b0345f70

      SHA512

      b4b0c91ec423355481b35ad411f4501b13fc604ed11d7d77960c72de2a7799530053a146b45ef910f7db92e3477831044983cb58990ce0f40dceac53ede39ac2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Dr
      Filesize

      54KB

      MD5

      b2ed5751e918601dda9729e8a41f61de

      SHA1

      b39da18af098fcaae3b4eae5a288054d2d926fe8

      SHA256

      15e62fb9ba7fcc3100f3232e9d9122d16c41b82be1b5b659662371bc30ee4190

      SHA512

      698091e2db997a132d093d25e323cf8d0c817827cb46767e9559944aff1e4cc09600734e03eb407d93a257708c440f6d07c09215194473100a68ee9f89de9a74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Fleet
      Filesize

      60KB

      MD5

      ac1f3b21cd1c110fc58d986e4f6f8d8b

      SHA1

      e6e524b79cf4301876e6b6f4a0b4339dad666ac2

      SHA256

      2553e041e8540db4da38df68258e72b7c9d1bd01d3ba8df82fdf94bdea6f1e57

      SHA512

      ef48d88d836f69f372466bfcd9c20ec68dcef4f3a840c0e7fbe0e40af935b652f37da415725b2a295ff96f72f73ffbe2b1961f1ceeeb7971041a021203435071

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Graphic
      Filesize

      71KB

      MD5

      9f5e004cc57210c7d4812afd5b37b738

      SHA1

      8ae7a822e30aebcc0e7dbff3abdbcc68d83bc883

      SHA256

      9a0dbaad05c54a38059217ea7e14952d669d45dac6ccf6baa37be09c70bb728e

      SHA512

      a36224c168d8b87ea3c5b4e3dde613fe51ab831215388f1221ef0c4392af003bab4bf2ab250381b2f211bad6eb4432ac694bad9e23585cf5e767d130f44bf73e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Inexpensive
      Filesize

      97KB

      MD5

      a0ea14cdf9d5f5f999fa22e5f14ca09b

      SHA1

      9b67c5ea6680fb93cbda3fbe332c54a4272e52ee

      SHA256

      202875f02bd7d4cedf6457ec61db4bf9c32a8ced3cbec4636af8e95163a6b0cc

      SHA512

      2bd7c9a06ef23f58849c1e2411fce49052c1f59e28af41ad127bc9134430699a73841b8b80f4024d49cea28a17de813790e9c642642651aea680d2f824fdd633

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Park
      Filesize

      55KB

      MD5

      9a2f7a1099d5c6b8023442986b7d3f63

      SHA1

      553623dd6c4f4afcf6e4a201c708d6bd23463600

      SHA256

      09bfb2fc7ea7858f6041a2397f8163bdbdbdc38a8e985467cbff5f845cfb9cfc

      SHA512

      c5b904906219c920046bdff253c0ec0287dbbcb120915d9d169b312cbcace6bdc1962e4e29dc9242e16e6c59669fac73b02ef63b301d50e5ab44d92ca457c56f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Proven
      Filesize

      38KB

      MD5

      4e3f4efa93dbdf98812171adf2c2152c

      SHA1

      7d661a6c55a1bfc202946297a1e2e79895d65498

      SHA256

      8cedffe95d1aa7a6921ecdb2fa837285bc4c692f07df8a00c37083c8c8fc0bba

      SHA512

      2d47e96f82348a6f779ddc59783c08f5e0f11c2d318d5da52bb4f11b694399ec6e5276f09d6bbce8973bfb230e7b042c57957f89b6b448e9a2a6d5cd9d0bb1e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Representations
      Filesize

      29KB

      MD5

      df007300e1a7a92b49244a15ad6bd975

      SHA1

      8493cca1b5f6fe9e85b9daef895e563d30068bb6

      SHA256

      20ea6fa491b528191f772e4814a7ebc3a665b526b6149f187d9b71cb9ef72b00

      SHA512

      298e5d02469a362cf47957918a3bd1a2e9c9e016cf2a47df584d54b8a4e53ec2e4f87254237fc552531444d595a059b5637d87d83f8a79202e4fc321fb9b1943

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Telescope
      Filesize

      89KB

      MD5

      456f4d56c8f909ffcf0ff0a91d8fc1c0

      SHA1

      2f68d54fb1d7f0c61a6f57ea13fe59ee8870e576

      SHA256

      4d377450f006468929f4a2c5d9a174816ca42454d2b26f44dc319a80e85a37d3

      SHA512

      c91fcedfce69080f43e124cc94bcd503b41faeb340ef66cf238bd49d2e145907da4e3f419156e472952135957cd760c924bb0d0f9d995aab55ec387015c11710

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Viruses
      Filesize

      872KB

      MD5

      8ed2e8863c6355ae9a64c291b8af7bec

      SHA1

      aafc6cb30c6f5f0f0f10c8e9f10107b3614c7d1a

      SHA256

      0019a1fe0412a33f7d8bc05dd100794ec3bea0680d2b27d330f8ffb2805bbadb

      SHA512

      1c14dfed9d37e6dd38d5ac3c1e0ca0dba959cfb753681808e1bc98d2c98840ad50dade87e2ae84c0ad1f6aadc417dee3ef11dfa37b864d8588dec1483b297fca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Wellington
      Filesize

      75KB

      MD5

      b93b6fe702a14c19fb76ec5decde645c

      SHA1

      3e661059f7c9dbddcc7d8b787e11b12e44c78492

      SHA256

      ed3554d9146977b097a160d1ead6970b958846aab4c2eb693b6a2a47ee1f3796

      SHA512

      440d8d93db6e8c5e461ad5ebe423a511d911efb135cca33b61cb1729ba4cb07d22c7d609227097c20bc32040d7f69cde716a1fcd8149973de39711678102587b

      Download Submit

    • memory/4736-43-0x00000000087B0000-0x00000000087C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4736-44-0x0000000008810000-0x000000000884C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4736-39-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4736-40-0x00000000056B0000-0x00000000056BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4736-41-0x0000000008D30000-0x0000000009348000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4736-42-0x0000000008870000-0x000000000897A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4736-35-0x0000000000D70000-0x0000000000DF8000-memory.dmp

      Filesize

      544KB

      Download

    • memory/4736-38-0x0000000005C90000-0x0000000006234000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4736-45-0x0000000008980000-0x00000000089CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4736-46-0x00000000095C0000-0x0000000009626000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4736-47-0x00000000098F0000-0x0000000009966000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4736-48-0x00000000098B0000-0x00000000098CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4736-49-0x000000000A2F0000-0x000000000A4B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4736-50-0x000000000A9F0000-0x000000000AF1C000-memory.dmp

      Filesize

      5.2MB

      Download