Analysis
-
max time kernel
2s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 14:34
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
SolaraBootstrapper.exe
-
Size
303KB
-
MD5
7553c649cdd15e01bc47cfa2dc88fdae
-
SHA1
1ad33f546146e52d05e667f0907262c1e55cb958
-
SHA256
12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6
-
SHA512
b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849
-
SSDEEP
6144:k1E0T6MDdbICydeB1MnyCvG/9GzC6jmA1D0Kzp:k1z6yCvGFG+Y1Dtp
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SolaraBootstrapper.exepid Process 2488 SolaraBootstrapper.exe 2488 SolaraBootstrapper.exe 2488 SolaraBootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SolaraBootstrapper.exedescription pid Process Token: SeDebugPrivilege 2488 SolaraBootstrapper.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SolaraBootstrapper.exedescription pid Process procid_target PID 2488 wrote to memory of 2780 2488 SolaraBootstrapper.exe 29 PID 2488 wrote to memory of 2780 2488 SolaraBootstrapper.exe 29 PID 2488 wrote to memory of 2780 2488 SolaraBootstrapper.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2488 -s 10842⤵PID:2780
-