2e9a32d51e669df532f0a4299933f40839152156e98c08bea7bec286fa5eff66

Resubmissions

09/08/2024, 15:54

240809-tcgxpawepg 10

09/08/2024, 15:51

240809-tanmfssdqr 10

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240704-de
resource tags

arch:x64arch:x86image:win7-20240704-delocale:de-deos:windows7-x64systemwindows
submitted
09/08/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SOLarVA.exe
Size

1.4MB
MD5

aba3a2770f56a24fe2e2d84cc657764c
SHA1

2b2cc59e99e215eb897f3bb127107a0d7f3bc7b5
SHA256

2e9a32d51e669df532f0a4299933f40839152156e98c08bea7bec286fa5eff66
SHA512

784634cc0ce31e2af473a453c2252795cb3fd4b3cd8e2f736d3d622ea3716419675c023d1e6b2750cd79a91866a8fe515b517b1bfa049fe7275949461cd7eb16
SSDEEP

24576:WSBBhGtqxZVP6R0/k70HtM6HIhRODKVApMMg0KANxr7gWmzlhFQvOq8o9:xBh935Di6oLOGqI0KAXX8dAOqx

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2688 created 1248	2688	Ieee.pif	21

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
2688	Ieee.pif
532	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2364	cmd.exe
2688	Ieee.pif
532	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2112	tasklist.exe
2712	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GeorgiaLately	SOLarVA.exe
File opened for modification	C:\Windows\AntarcticaFalls	SOLarVA.exe
File opened for modification	C:\Windows\IronPowers	SOLarVA.exe
File opened for modification	C:\Windows\DnaBroad	SOLarVA.exe
File opened for modification	C:\Windows\PurseArtistic	SOLarVA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOLarVA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieee.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2688	Ieee.pif
2688	Ieee.pif
2688	Ieee.pif
2688	Ieee.pif
2688	Ieee.pif
532	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	532	RegAsm.exe
Token: SeBackupPrivilege	532	RegAsm.exe
Token: SeSecurityPrivilege	532	RegAsm.exe
Token: SeSecurityPrivilege	532	RegAsm.exe
Token: SeSecurityPrivilege	532	RegAsm.exe
Token: SeSecurityPrivilege	532	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2688	Ieee.pif
2688	Ieee.pif
2688	Ieee.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2688	Ieee.pif
2688	Ieee.pif
2688	Ieee.pif

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2364	2108	SOLarVA.exe	30
PID 2108 wrote to memory of 2364	2108	SOLarVA.exe	30
PID 2108 wrote to memory of 2364	2108	SOLarVA.exe	30
PID 2108 wrote to memory of 2364	2108	SOLarVA.exe	30
PID 2364 wrote to memory of 2112	2364	cmd.exe	32
PID 2364 wrote to memory of 2112	2364	cmd.exe	32
PID 2364 wrote to memory of 2112	2364	cmd.exe	32
PID 2364 wrote to memory of 2112	2364	cmd.exe	32
PID 2364 wrote to memory of 2652	2364	cmd.exe	33
PID 2364 wrote to memory of 2652	2364	cmd.exe	33
PID 2364 wrote to memory of 2652	2364	cmd.exe	33
PID 2364 wrote to memory of 2652	2364	cmd.exe	33
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2700	2364	cmd.exe	36
PID 2364 wrote to memory of 2700	2364	cmd.exe	36
PID 2364 wrote to memory of 2700	2364	cmd.exe	36
PID 2364 wrote to memory of 2700	2364	cmd.exe	36
PID 2364 wrote to memory of 2804	2364	cmd.exe	37
PID 2364 wrote to memory of 2804	2364	cmd.exe	37
PID 2364 wrote to memory of 2804	2364	cmd.exe	37
PID 2364 wrote to memory of 2804	2364	cmd.exe	37
PID 2364 wrote to memory of 2852	2364	cmd.exe	38
PID 2364 wrote to memory of 2852	2364	cmd.exe	38
PID 2364 wrote to memory of 2852	2364	cmd.exe	38
PID 2364 wrote to memory of 2852	2364	cmd.exe	38
PID 2364 wrote to memory of 2696	2364	cmd.exe	39
PID 2364 wrote to memory of 2696	2364	cmd.exe	39
PID 2364 wrote to memory of 2696	2364	cmd.exe	39
PID 2364 wrote to memory of 2696	2364	cmd.exe	39
PID 2364 wrote to memory of 2688	2364	cmd.exe	40
PID 2364 wrote to memory of 2688	2364	cmd.exe	40
PID 2364 wrote to memory of 2688	2364	cmd.exe	40
PID 2364 wrote to memory of 2688	2364	cmd.exe	40
PID 2364 wrote to memory of 2892	2364	cmd.exe	41
PID 2364 wrote to memory of 2892	2364	cmd.exe	41
PID 2364 wrote to memory of 2892	2364	cmd.exe	41
PID 2364 wrote to memory of 2892	2364	cmd.exe	41
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43
PID 2688 wrote to memory of 532	2688	Ieee.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\SOLarVA.exe
  "C:\Users\Admin\AppData\Local\Temp\SOLarVA.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 163233
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "MaskBathroomCompositionInjection" Participants
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Intake + ..\Grass + ..\Sigma + ..\Element + ..\Ni + ..\Angola + ..\Lithuania + ..\Pointer + ..\Narrow Q
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\163233\Ieee.pif
      Ieee.pif Q
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2688
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- C:\Users\Admin\AppData\Local\Temp\163233\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\163233\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\163233\Q

Filesize
611KB

MD5
28c262b2518e89494875160b32396c31

SHA1
4866b6e37fd1337eb25aad15c5a3cededa96c866

SHA256
0f6b5973a71082089216f929e501ef375289cbe425d7dc54e409916ecc4c4c6e

SHA512
95ec7fa55d01b97da762eef6182452300f2c9a0f5164dcf4f99e3ccf6dc1bdc18aed097c7e8e7d6672617c064cad40e04a4aa03048b4d5060c0003362c8a2a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Angola

Filesize
58KB

MD5
1d66db0d17f2a42df6bdb2228683d926

SHA1
ea51a9d17a827dc9ef521a999b276837277efac3

SHA256
cc01abdacbb94bd59c1206ac6fd5b40b4c1169f9edbf83e4038aa168c95fbef1

SHA512
7bd8aae17a35faef5277d7a3fd0f98e6ea7becaa391b4752ebf269b661de2fe56ecb1548649189dd45fb9a093e94b33baae58039d62d13f3a09af852cadeb6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA90D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Element

Filesize
65KB

MD5
a48d8c2f75acb13392237e306f661b07

SHA1
0fcca71ef8a3c554087cbaa057969ade045d5528

SHA256
c20605c2eb2fd6fb3521629231820b94b5b829bbdd28ad850be498149cdcff4c

SHA512
171b150a1625d71a5349ebbaafa591e5e827796dcdfd20cda1a066c8028391b22f8a61a5a97ed10862a9fc0e4327fe458cd7ca14c83e79057b230431d5078fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
16KB

MD5
df90e0a5db1ab053640d91639137b794

SHA1
479ff47a8b8631fb18e800277c401eb76292a0db

SHA256
d1cd7a9812c8e8bc210d96e18a658d61b05d811e7840bc70e948b2baaefbb349

SHA512
7a230e7119fba9453025900322085afad16713fdbcf2ebb346bed80ac94767a38ceb50f5e47b1d25585b8a2d382201cb04dabe7bff0c9a2952255eda3a511149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grass

Filesize
67KB

MD5
eeca35c3e226ea7bb9b6b9f63bdbd52f

SHA1
bc22c00e4f9799acf6ab7b618fc3b6fe7dc82682

SHA256
8d699ae65aaba25952d928cebeeba756fff8a53a2d96851bf40c0d3a25bfbe69

SHA512
4317b500e36f7b5a2d579479933a50bf61e004fb3ba499f5d245c057ad9d1ebc6a5b04e4b25a85c6d33351730f2cf4bb064a00880b3987a5389bec15a3bc7dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intake

Filesize
96KB

MD5
f6578d361204e18b87ae8369dab27721

SHA1
69234a9b7fab2d98ecf1a0d88e938bd3309bc404

SHA256
5ec86fdc58ea6a4699141d7086746d763ef674287f85c9b4b837bfe34aaed22c

SHA512
aed25674e04553c8fa9c2565d83cf54edac0ca28b6dfc71940c21eb36935e85b6759c24509bda53b69a6c6fd7c680330d1a97576a4f8515e0fb0fd153847c230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lithuania

Filesize
84KB

MD5
30075fa906c25d6995173ac8f0c79c35

SHA1
14a2601012cbcbd2dbd0c00645322209d77ef9c6

SHA256
a1ec643619e784be373cabc41f7a76e77f8f7b025c362d175fc416f41132b256

SHA512
03ea5c0bccd11656cc301e0ff82d4c3042d0f9355a16a1b0d931fe69f8f0b4376d8913c2c93bb373d0d1cf5df3190fd91bac7dcb76317527c5b84d0b50fe4f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Narrow

Filesize
14KB

MD5
868377c90890d824f00d312ca0a1731c

SHA1
c52d4242644a5aeccb9507e70cc0d10bad60561d

SHA256
3654c17103c6c224f0f61a38e7f31d037fb4ea7273571797c3f0c8ecdede6f78

SHA512
173d7dc13284fe72ba0d01061f06f14c1b38bd8385376d0a27c22221a6495579b72d957ed3a77a3ceb40fb22b7512d55f766ec5e59d0e57024fb1c8c5e45a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ni

Filesize
81KB

MD5
a1c1a3779ceac9bac17256a0ec363a63

SHA1
8da28c546f99b1f193477643b5a10d74f8581c3d

SHA256
2f0e70b68dbcee5183af2d1c8674c78bb91c633674b81241de7d51b894a096a5

SHA512
1cfc2dad3051a4c03a26f5d8539717dfccb7988281bb08cc6d5605125f2a173035825a59b7da5b773f45a7ca0618ae996ccab7f5ca4d16a1c6c3ad6b9e38566b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants

Filesize
1022B

MD5
2b618e2f573e562fa4494a65d0ac4e7a

SHA1
e05badd2176c8134d4b034fd37bda460bd7513a5

SHA256
ee9a5f63c926cd308c1ebe0f07d7b854dc9986ff259eed54488160387ed72394

SHA512
13d39153661ebf61f24611a4e4319cbd13ed1eae1e78d8d15339e6a08abb43ece40d38cbc0bd4ccafe32bcea0fbcee53fabce78b6b2551ca0ec3adecc79a7457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointer

Filesize
58KB

MD5
5283b76974518850ac49375f6e04e5b5

SHA1
16f1b42efbccb2c517a67bf6acf361357009d992

SHA256
b99cf8a2aa33b2ac625d21795c4e14e663d5dc8010be1868ecee851b66af786c

SHA512
ac4cba17124276c91c0d2b711c3d637fd1a68bd814f833624f7628153a72261c262356e8dc7f2e8c729fb72f58c8fb66d2ad26f74572b5963c875829b8217c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rick

Filesize
871KB

MD5
75479dccf8c924f5f9cba3154ef4ffd0

SHA1
f88ac6d6cd42aca72079ec2b0565ee16d1f45886

SHA256
96e4af74fde678ff4f117e6cf6d678820c354ad3678f263ab6e19c6aa0bc9c70

SHA512
a3f5e46223893b035e1f81581a9fddc0808c519e9048e6bd3695be74fa6be5210fa4fafb4ff0303661f615ebea883cb08fc23d06561c16ec76d300280be86a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sigma

Filesize
88KB

MD5
5749bafbb308758adb9436b56e782533

SHA1
280785cb8cf761740e72cb581aa962c260c4adc0

SHA256
35d1cbb53710df82a2198f23cb05e0ae36a01440e6ebcd2bf08bed0845db4cfb

SHA512
1489b8c78b4eb8e4e1acdc6edad97b6e91bd3750185ec8fe81afee2c020d4285bc4ced02ce74941a18fd93632a8ac67eded7d17b023d556006a84b7fe08cca78

Download Submit
\Users\Admin\AppData\Local\Temp\163233\Ieee.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\163233\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/532-37-0x0000000000090000-0x000000000010E000-memory.dmp

Filesize
504KB

Download
memory/532-40-0x0000000000090000-0x000000000010E000-memory.dmp

Filesize
504KB

Download
memory/532-39-0x0000000000090000-0x000000000010E000-memory.dmp

Filesize
504KB

Download