21b4b1091da61c9e2176298444c56c57d0282acc8be75aae9101fce661670675

Analysis

max time kernel
24s
max time network
17s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara/Solara/SolaraBootstrapper V3.exe
Size

50.4MB
MD5

0d2ded9caa35fffc0f2363e4f92e77ea
SHA1

9c765027a132495825d5bb5256ffbbd597371a63
SHA256

56b2926a2b7660cd8508a4913246eb49546b0ff084b4bfbfe0f399083edf8758
SHA512

f8770ed852de3b50fb751943ceeaec09345bb552d6debe8423e575e12db51083b8bf7816aa9438c61d238b5a3ffd39f367a1ca7705143abc82a084c9aae22cf4
SSDEEP

1572864:3eKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKe:3eKKKKKKKKKKKKKKKKKKKKKKKKKKKKK5

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4588 created 3248	4588	Deeper.pif	52
PID 4588 created 3248	4588	Deeper.pif	52

Executes dropped EXE 3 IoCs

pid	Process
4588	Deeper.pif
3196	RegAsm.exe
656	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3260	tasklist.exe
1376	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DvdPrescribed	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\CultureAlthough	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\CtSleeps	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\DecemberFe	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\MoreButter	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\GpsAttempt	SolaraBootstrapper V3.exe
File opened for modification	C:\Windows\SeparatedCarries	SolaraBootstrapper V3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper V3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deeper.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4588	Deeper.pif
4588	Deeper.pif
4588	Deeper.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3520	2648	SolaraBootstrapper V3.exe	82
PID 2648 wrote to memory of 3520	2648	SolaraBootstrapper V3.exe	82
PID 2648 wrote to memory of 3520	2648	SolaraBootstrapper V3.exe	82
PID 3520 wrote to memory of 3260	3520	cmd.exe	84
PID 3520 wrote to memory of 3260	3520	cmd.exe	84
PID 3520 wrote to memory of 3260	3520	cmd.exe	84
PID 3520 wrote to memory of 3172	3520	cmd.exe	85
PID 3520 wrote to memory of 3172	3520	cmd.exe	85
PID 3520 wrote to memory of 3172	3520	cmd.exe	85
PID 3520 wrote to memory of 1376	3520	cmd.exe	87
PID 3520 wrote to memory of 1376	3520	cmd.exe	87
PID 3520 wrote to memory of 1376	3520	cmd.exe	87
PID 3520 wrote to memory of 1996	3520	cmd.exe	88
PID 3520 wrote to memory of 1996	3520	cmd.exe	88
PID 3520 wrote to memory of 1996	3520	cmd.exe	88
PID 3520 wrote to memory of 3488	3520	cmd.exe	89
PID 3520 wrote to memory of 3488	3520	cmd.exe	89
PID 3520 wrote to memory of 3488	3520	cmd.exe	89
PID 3520 wrote to memory of 4932	3520	cmd.exe	90
PID 3520 wrote to memory of 4932	3520	cmd.exe	90
PID 3520 wrote to memory of 4932	3520	cmd.exe	90
PID 3520 wrote to memory of 1500	3520	cmd.exe	91
PID 3520 wrote to memory of 1500	3520	cmd.exe	91
PID 3520 wrote to memory of 1500	3520	cmd.exe	91
PID 3520 wrote to memory of 4588	3520	cmd.exe	92
PID 3520 wrote to memory of 4588	3520	cmd.exe	92
PID 3520 wrote to memory of 4588	3520	cmd.exe	92
PID 3520 wrote to memory of 3164	3520	cmd.exe	93
PID 3520 wrote to memory of 3164	3520	cmd.exe	93
PID 3520 wrote to memory of 3164	3520	cmd.exe	93
PID 4588 wrote to memory of 3196	4588	Deeper.pif	99
PID 4588 wrote to memory of 3196	4588	Deeper.pif	99
PID 4588 wrote to memory of 3196	4588	Deeper.pif	99
PID 4588 wrote to memory of 656	4588	Deeper.pif	100
PID 4588 wrote to memory of 656	4588	Deeper.pif	100
PID 4588 wrote to memory of 656	4588	Deeper.pif	100
PID 4588 wrote to memory of 656	4588	Deeper.pif	100
PID 4588 wrote to memory of 656	4588	Deeper.pif	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraBootstrapper V3.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara\Solara\SolaraBootstrapper V3.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Click Click.cmd && Click.cmd && exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3260
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 555061
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "latelygreeceharrymint" Heritage
      4⤵
      System Location Discovery: System Language Discovery
      PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Relative + ..\Milfhunter + ..\Player + ..\Monte + ..\Reggae + ..\Coin + ..\Punishment + ..\Operator + ..\Satisfactory + ..\Ross w
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\555061\Deeper.pif
      Deeper.pif w
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4588
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
- C:\Users\Admin\AppData\Local\Temp\555061\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\555061\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Users\Admin\AppData\Local\Temp\555061\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\555061\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\555061\Deeper.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\555061\RegAsm.exe

Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\555061\w

Filesize
575KB

MD5
e04fdf540c779e23fa10ee594007eb2b

SHA1
3bd06a672e14ce2f2c899fe42ac36d487dae2c14

SHA256
5563cfff3da0a04106a9270951ed587a13da5328795f91d4cd77dd667cfa0816

SHA512
3a1db73135c9762f154aea2c849781f8a470106a76946bfb38219c11108b7e891759592491c69bf2e11d98aaf6fdcb9c0891046fbefd810494c356c48abbc5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Click

Filesize
12KB

MD5
39a7afcc988e24e5648f26332e6503cf

SHA1
41ab3d6552399bfb8713700f042db71e2bb5f5df

SHA256
9894e29de2f116ad5ee0143c3b4ac7ae118299458dceb76ed6443c14ca8c8d5b

SHA512
4ce359020669bc5d62e0f47e1ff7fcbaac7fb10d6fc298197411178535a64b7a81729d5a2eee386d29e6950866674824b46cf98b93bb4391d6c827ff120a7c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coin

Filesize
86KB

MD5
9926cf3b9c9b05884d1d022919c17aca

SHA1
8ef3e60410b210f5ae2f8cb008602110a220651c

SHA256
3e83dd85db8c054f8fa5d9330968e33f1bf4a10d9285f7f353068a973d2a2646

SHA512
4bed587c22d3fb29d8c0836677eb293e1cb3fed7b9d19d0fc85c7cafdba6bd76799d6ccc0d1fce3517c5c533fc9d8ce0f027225a6f04a14fafb0fb7a2835e7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Handjobs

Filesize
872KB

MD5
7966e30c5c82f7516319c29973734b33

SHA1
b786aae4860d43b4c97d5a9e5fba0e385fdb609c

SHA256
a0a2df0b6726bd2c6bda8fc38114fe92b32eec1c3d621fcb7b2938ca2368b438

SHA512
714b5b9dfb9fdfc12f9f95f225aab16184c1f128267d2070b3e2f54663c1d5a31fbe6988ff9437d383352150d740d9e6d47794a95d4d1320f92a71870a85f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heritage

Filesize
285B

MD5
351b69558c552ab23429a11666b16ea7

SHA1
a822afdcb6cbfbbdb5c9e60e1a09fb7fd0133f0e

SHA256
81236e3f98b03472879e0f5ecf67bf0e288b23ad1c3c15ee2bb2c2d4d48714c1

SHA512
c6fbbb22c909f66e1d204ea88e79e37cce4079f5d2d60846a2f9dff56afc5c51324ef72f4c6184f9de60236437c9dd086596355c937e54195dfa444d7c21503e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Milfhunter

Filesize
50KB

MD5
f6ee6b9074e03f4a44bd5d5d18008ffa

SHA1
3fd0678c0ff417bb8fe22f45c3e8b0042a9b801c

SHA256
44736ae60d9770901e7f75ab6981ba0aa19e0e1112dfbf0fbec18b93e8c8dc59

SHA512
173270b615af216b398699772374dafe94fbcd3e455ae7aaf6689fa4b4944ad7d0a66eaeae24ee822d055109732d7b37286acf154bd070556dab8705b5705d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monte

Filesize
56KB

MD5
a9918a54367c2e47cb76a5b2818aaf3b

SHA1
7135fa3f5bfce8d0787235aa27d6ffefe67fd88f

SHA256
f8fd8c3de07b2334b53eccbd8adda06ac64092e16077d5f6dfbc820ede0b2b09

SHA512
f694492a14ba5064879eca217477eb31d5cb651cb14d0aa9239773ab28b690362b1f69bc7c2b6059fa821e2d4a45aae259cbd0dd635212b97c1b1704c6f861a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Operator

Filesize
72KB

MD5
21cd8ab9ea9095ade512fc894378569d

SHA1
9200bdf2699000475b3a856e91452772f5ef6218

SHA256
86afa7f20a0899d5e1ab11d0dc8d4d74650cbe29cfe5668e17e96eb10f04a49a

SHA512
b71953d05599fedde33ff5b3c3fe1b56aa605a17fdcf13a8d69c09cdb3f2a31eaa39e20d10a0bbd787b3051caf41e55e638da8c859623d571ea46b5fdd0f0147

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player

Filesize
79KB

MD5
82383a3fe45670303a943f51103ee9a7

SHA1
1878d4fac7a1220357e7a36c0ce0995bfe0c7566

SHA256
e4d90c5ec872a65e8049346798654ad0d8e54f1accfe042e0e0af150a2de65d2

SHA512
da56dac2ad54cdc9c94d9f0265bfdbd7ef81cb38607954d579451f28ea165fa5ed6de91d3a5608ea51c677b0bf4d8dec9518ae06b3f3c385d710562762744f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Punishment

Filesize
62KB

MD5
a243e0271481a4b08652c64530c60053

SHA1
e366193c2fe31a282ffe04b11dbe539667a683c8

SHA256
3496e6f89a269fd0820d18badf467d293ea16cb58b8e4d6d4d2b7ea7dabcc34c

SHA512
f9ee6066f4c6a58681e6a56a62b43e43d86d9b97a6b96a3e59371fb5871ea07ee4b2657fdfdaba519a3e8218e2f3427cdbb8f4190bd3dd421ea1dd044346c7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reggae

Filesize
59KB

MD5
7bbaba3c68920b935963292b8cf3c99e

SHA1
663647cb4ce3ca680380f950b0e0755dbc5691c1

SHA256
41adfd84674f5954e04010b779f490da3ebed5bef926b45d5aa636599328dea9

SHA512
8f6ae4124d0581decf445ed3a129689dad7ef0adb21de34479644e52751c5b72e39591c69c464a861ed1d8e5f6c994298c83d153aa7b75c3437086436dbf9b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relative

Filesize
56KB

MD5
efdfded40eddf0af6c5142a74073803a

SHA1
0c1ffbc7387d99b717d96fa343b7582c9092883f

SHA256
051bdf3bc1d0d6ea55002f1ef948d7d98030e27fab7eedd490fea599e88fe999

SHA512
96b854778150823e06f3c716ac940c68ad043738cc26e9463954b762f4a997493622d95011aab30624a3fafbe963957dad5523a36032971d2bfb2d71dd1d61f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ross

Filesize
266B

MD5
d7bb8ffb5e16dc8c0f769202fc2a1048

SHA1
83f20d171f03fd1cbc2a17a215455ce9e112af6a

SHA256
16ec82da6adbd96ef332315c570ff4bf99dd3b232f182bce734cdac3224fe6d9

SHA512
edeb64536dba72a2dbb3ab69f067233f702940eab6e7728f48f594ce5aefec71eaaddc5bed17dc1d103ebba4c132f20c680b7bd2883f7fced9e3c0a1a0380111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Satisfactory

Filesize
55KB

MD5
281281a1c53bc3906cc43075b3420d6f

SHA1
7284273b4b646c74032b93acac207d0021e7df68

SHA256
b646819d1c4897739acfa72f13bcf60f416557f7c193e5212d3ea246b0a4d723

SHA512
4165133069defc9c75be9262b7275a4bdda6d660cf060de3577c69321654186b517a21d31266959f8e456d2738d5bbbf0616f333ca7280af83036f02e0261226

Download Submit
memory/656-37-0x00000000007B0000-0x0000000000864000-memory.dmp

Filesize
720KB

Download
memory/656-40-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/656-41-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/656-42-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download