Overview

overview

10

Static

static

9

ezWwTYmb9tEG.zip

windows11-21h2-x64

ReadMe.txt

windows11-21h2-x64

3

So1ara.rar

windows11-21h2-x64

3

Solara/Sol...er.exe

windows11-21h2-x64

10

$TEMP/Bolt

windows11-21h2-x64

1

$TEMP/Consistent

windows11-21h2-x64

1

$TEMP/Dr

windows11-21h2-x64

1

$TEMP/Fleet

windows11-21h2-x64

1

$TEMP/Inexpensive

windows11-21h2-x64

1

$TEMP/Park

windows11-21h2-x64

1

$TEMP/Telescope

windows11-21h2-x64

1

$TEMP/Viruses

windows11-21h2-x64

1

$TEMP/Wellington

windows11-21h2-x64

1

SaturnSexo/Animal

windows11-21h2-x64

1

SaturnSexo/Graphic

windows11-21h2-x64

1

SaturnSexo/Proven

windows11-21h2-x64

1

SaturnSexo...ations

windows11-21h2-x64

1

Solara/Sol...st.lua

windows11-21h2-x64

3

Solara/Sol...t2.lua

windows11-21h2-x64

3

Solara/Sol...pi.dll

windows11-21h2-x64

3

Solara/Sol...le.txt

windows11-21h2-x64

3

Solara/Sol...et.txt

windows11-21h2-x64

3

Solara/Sol...le.txt

windows11-21h2-x64

3

Solara/Sol..._1.txt

windows11-21h2-x64

3

Solara/Sol..._2.txt

windows11-21h2-x64

3

Solara/Sol...le.txt

windows11-21h2-x64

3

Solara/Sol...le.txt

windows11-21h2-x64

3

Solara/Sol...tefile

windows11-21h2-x64

1

Solara/Sol...le.txt

windows11-21h2-x64

3

Solara/Sol...LL.txt

windows11-21h2-x64

3

Solara/Sol..._FE.iy

windows11-21h2-x64

3

Solara/Sol...s.json

windows11-21h2-x64

3

Analysis

  • max time kernel
    137s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-08-2024 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara/Solar/SolaraBootstrapper.exe

  • Size

    149.8MB

  • MD5

    514a5006c26dffcd6d6a7ec4ca897ed6

  • SHA1

    12514a2dadfef13a209697d2af2cda955e1d9468

  • SHA256

    e7a36dd328ba20e8695a1d07a25a71edb41f649ee118d9f1c27139fd59fcb35c

  • SHA512

    21ffb034e8cf1913c62ec647f4872aa51e93db0ec45ad03ac559577c7265ee2a0a54e569ab87ebfc4f23b538a2b65df50c98ee75a7a773afce6c82591c778ab7

  • SSDEEP

    1572864:RTBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBn:

Score
10/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3332
      • C:\Users\Admin\AppData\Local\Temp\Solara\Solar\SolaraBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\Solara\Solar\SolaraBootstrapper.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Representations Representations.cmd & Representations.cmd & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3408
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:788
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3292
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:888
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 691653
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1972
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "IssuesGriffinChildrenModelling" Animal
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3688
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Bolt + Inexpensive + Wellington + Fleet + Telescope + Graphic + Consistent + Dr + Park + Proven 691653\F
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1712
          • C:\Users\Admin\AppData\Local\Temp\691653\Argument.pif
            Argument.pif F
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2676
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2772
      • C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\691653\Argument.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\691653\F
      Filesize

      685KB

      MD5

      5ea43da01aba98003a6abbac210aff8f

      SHA1

      5507e8a1a6264e0d88c3226b0b6259e92b65a219

      SHA256

      82d13a43681c9e64083c3b818b537bd7471c156fa3462f5378d4023ba7538e38

      SHA512

      a4c505a31974a1436f0072047cdf30da22e95f815a6cc5f89ab41704df4e13fd97c9dc0982b81d5414ca30a0e45f9ed4f00517fb3442b3f597578086081ec6ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\691653\RegAsm.exe
      Filesize

      63KB

      MD5

      42ab6e035df99a43dbb879c86b620b91

      SHA1

      c6e116569d17d8142dbb217b1f8bfa95bc148c38

      SHA256

      53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

      SHA512

      2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Animal
      Filesize

      692B

      MD5

      31c1e59569e694098305c7b2d5c8401e

      SHA1

      762ce052bc83f6f917cb5afe5d354bb279d2b3f8

      SHA256

      2e439a7e4674589c3e4da070ef4dfe392abf65dac006911ba3aeb54673580abd

      SHA512

      1604e8b8fe8ada65bcd468d1b6017e70834db5b3dc36ae4d052079a049c58085a072e11115ac66463cb4e6b0f3c87bdccb8b78f460eb6e7d39c7787c1da7e7e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Bolt
      Filesize

      70KB

      MD5

      7ff18f550ee982d1c609f0ac54c59b1c

      SHA1

      115af2ad5292ca76b85ff4e02263bc7829a64b43

      SHA256

      60049115790147848413a5b6b5046d2dc7ae038b319bed53749cdbc1fdc23cfc

      SHA512

      3c00755e5fa75475fec62d19a3cd58ea36294eed6c5cd682ba794819c1cae6eeb3f96aa7e63a382564bb2231af0293afe00064874dca57c3f5423f06dc106234

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Consistent
      Filesize

      76KB

      MD5

      66bbd8d50edfa12e57b0af52bc7f456b

      SHA1

      6c414e8ba8ef8e179eb96a894a75e10c2a943015

      SHA256

      c02e044b9da1e4edecc37c83c06abe69d6d1178a669fca3f4c78b514b0345f70

      SHA512

      b4b0c91ec423355481b35ad411f4501b13fc604ed11d7d77960c72de2a7799530053a146b45ef910f7db92e3477831044983cb58990ce0f40dceac53ede39ac2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Dr
      Filesize

      54KB

      MD5

      b2ed5751e918601dda9729e8a41f61de

      SHA1

      b39da18af098fcaae3b4eae5a288054d2d926fe8

      SHA256

      15e62fb9ba7fcc3100f3232e9d9122d16c41b82be1b5b659662371bc30ee4190

      SHA512

      698091e2db997a132d093d25e323cf8d0c817827cb46767e9559944aff1e4cc09600734e03eb407d93a257708c440f6d07c09215194473100a68ee9f89de9a74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Fleet
      Filesize

      60KB

      MD5

      ac1f3b21cd1c110fc58d986e4f6f8d8b

      SHA1

      e6e524b79cf4301876e6b6f4a0b4339dad666ac2

      SHA256

      2553e041e8540db4da38df68258e72b7c9d1bd01d3ba8df82fdf94bdea6f1e57

      SHA512

      ef48d88d836f69f372466bfcd9c20ec68dcef4f3a840c0e7fbe0e40af935b652f37da415725b2a295ff96f72f73ffbe2b1961f1ceeeb7971041a021203435071

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Graphic
      Filesize

      71KB

      MD5

      9f5e004cc57210c7d4812afd5b37b738

      SHA1

      8ae7a822e30aebcc0e7dbff3abdbcc68d83bc883

      SHA256

      9a0dbaad05c54a38059217ea7e14952d669d45dac6ccf6baa37be09c70bb728e

      SHA512

      a36224c168d8b87ea3c5b4e3dde613fe51ab831215388f1221ef0c4392af003bab4bf2ab250381b2f211bad6eb4432ac694bad9e23585cf5e767d130f44bf73e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Inexpensive
      Filesize

      97KB

      MD5

      a0ea14cdf9d5f5f999fa22e5f14ca09b

      SHA1

      9b67c5ea6680fb93cbda3fbe332c54a4272e52ee

      SHA256

      202875f02bd7d4cedf6457ec61db4bf9c32a8ced3cbec4636af8e95163a6b0cc

      SHA512

      2bd7c9a06ef23f58849c1e2411fce49052c1f59e28af41ad127bc9134430699a73841b8b80f4024d49cea28a17de813790e9c642642651aea680d2f824fdd633

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Park
      Filesize

      55KB

      MD5

      9a2f7a1099d5c6b8023442986b7d3f63

      SHA1

      553623dd6c4f4afcf6e4a201c708d6bd23463600

      SHA256

      09bfb2fc7ea7858f6041a2397f8163bdbdbdc38a8e985467cbff5f845cfb9cfc

      SHA512

      c5b904906219c920046bdff253c0ec0287dbbcb120915d9d169b312cbcace6bdc1962e4e29dc9242e16e6c59669fac73b02ef63b301d50e5ab44d92ca457c56f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Proven
      Filesize

      38KB

      MD5

      4e3f4efa93dbdf98812171adf2c2152c

      SHA1

      7d661a6c55a1bfc202946297a1e2e79895d65498

      SHA256

      8cedffe95d1aa7a6921ecdb2fa837285bc4c692f07df8a00c37083c8c8fc0bba

      SHA512

      2d47e96f82348a6f779ddc59783c08f5e0f11c2d318d5da52bb4f11b694399ec6e5276f09d6bbce8973bfb230e7b042c57957f89b6b448e9a2a6d5cd9d0bb1e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Representations
      Filesize

      29KB

      MD5

      df007300e1a7a92b49244a15ad6bd975

      SHA1

      8493cca1b5f6fe9e85b9daef895e563d30068bb6

      SHA256

      20ea6fa491b528191f772e4814a7ebc3a665b526b6149f187d9b71cb9ef72b00

      SHA512

      298e5d02469a362cf47957918a3bd1a2e9c9e016cf2a47df584d54b8a4e53ec2e4f87254237fc552531444d595a059b5637d87d83f8a79202e4fc321fb9b1943

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Telescope
      Filesize

      89KB

      MD5

      456f4d56c8f909ffcf0ff0a91d8fc1c0

      SHA1

      2f68d54fb1d7f0c61a6f57ea13fe59ee8870e576

      SHA256

      4d377450f006468929f4a2c5d9a174816ca42454d2b26f44dc319a80e85a37d3

      SHA512

      c91fcedfce69080f43e124cc94bcd503b41faeb340ef66cf238bd49d2e145907da4e3f419156e472952135957cd760c924bb0d0f9d995aab55ec387015c11710

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Viruses
      Filesize

      872KB

      MD5

      8ed2e8863c6355ae9a64c291b8af7bec

      SHA1

      aafc6cb30c6f5f0f0f10c8e9f10107b3614c7d1a

      SHA256

      0019a1fe0412a33f7d8bc05dd100794ec3bea0680d2b27d330f8ffb2805bbadb

      SHA512

      1c14dfed9d37e6dd38d5ac3c1e0ca0dba959cfb753681808e1bc98d2c98840ad50dade87e2ae84c0ad1f6aadc417dee3ef11dfa37b864d8588dec1483b297fca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Wellington
      Filesize

      75KB

      MD5

      b93b6fe702a14c19fb76ec5decde645c

      SHA1

      3e661059f7c9dbddcc7d8b787e11b12e44c78492

      SHA256

      ed3554d9146977b097a160d1ead6970b958846aab4c2eb693b6a2a47ee1f3796

      SHA512

      440d8d93db6e8c5e461ad5ebe423a511d911efb135cca33b61cb1729ba4cb07d22c7d609227097c20bc32040d7f69cde716a1fcd8149973de39711678102587b

      Download Submit

    • memory/2460-43-0x0000000008900000-0x0000000008912000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2460-44-0x0000000008960000-0x000000000899C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2460-39-0x0000000005800000-0x0000000005892000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2460-40-0x00000000059C0000-0x00000000059CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2460-41-0x0000000008E80000-0x0000000009498000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2460-42-0x00000000089B0000-0x0000000008ABA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2460-35-0x0000000001100000-0x0000000001188000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2460-38-0x0000000005E80000-0x0000000006426000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2460-45-0x0000000008AC0000-0x0000000008B0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2460-46-0x0000000009710000-0x0000000009776000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2460-47-0x0000000009A40000-0x0000000009AB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2460-48-0x0000000009A20000-0x0000000009A3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2460-49-0x000000000A670000-0x000000000A832000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2460-50-0x000000000AD70000-0x000000000B29C000-memory.dmp

      Filesize

      5.2MB

      Download