Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 16:29
Behavioral task
behavioral1
Sample
SolaraV2.1 nano.exe
Resource
win7-20240704-en
General
-
Target
SolaraV2.1 nano.exe
-
Size
698KB
-
MD5
0861b1b5f623ebf122b517cd3250357f
-
SHA1
6ce6bf05c7bad841edeb1c9c5e4772b4d6de9707
-
SHA256
83d064ee508b2543d3f9fc16f4ed16fee34cf130713d3cee54d5f20ce7f452cc
-
SHA512
194852228b7ac1763a37c672c4f139548541b026f2d7835b136e5751c11c82dfb3cbaefbc732b29d02900db33ac0324c8be2fc8ab57b179a06fec8e7c73e8c4d
-
SSDEEP
12288:0LV6BtpmkBl5sqhmzNgpM/9J67+VDNcuOIJfnQLLm:GApfBl5sqhmzNyM/f6ytOsoLS
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SolaraV2.1 nano.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Subsystem = "C:\\Program Files (x86)\\LAN Subsystem\\lanss.exe" SolaraV2.1 nano.exe -
Processes:
SolaraV2.1 nano.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SolaraV2.1 nano.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SolaraV2.1 nano.exedescription ioc process File created C:\Program Files (x86)\LAN Subsystem\lanss.exe SolaraV2.1 nano.exe File opened for modification C:\Program Files (x86)\LAN Subsystem\lanss.exe SolaraV2.1 nano.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeSolaraV2.1 nano.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraV2.1 nano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2440 schtasks.exe 2268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
SolaraV2.1 nano.exepid process 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe 2552 SolaraV2.1 nano.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SolaraV2.1 nano.exepid process 2552 SolaraV2.1 nano.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SolaraV2.1 nano.exedescription pid process Token: SeDebugPrivilege 2552 SolaraV2.1 nano.exe Token: SeDebugPrivilege 2552 SolaraV2.1 nano.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SolaraV2.1 nano.exedescription pid process target process PID 2552 wrote to memory of 2440 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2440 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2440 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2440 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2268 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2268 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2268 2552 SolaraV2.1 nano.exe schtasks.exe PID 2552 wrote to memory of 2268 2552 SolaraV2.1 nano.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraV2.1 nano.exe"C:\Users\Admin\AppData\Local\Temp\SolaraV2.1 nano.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC5CF.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2440 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC67B.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54bb70ae457112a038573b994ab89c3ae
SHA17e5057e0034d70f94c17c10438437b138f055780
SHA256411a8d9306b8233d8dad43faae19467494e84a5458e6e2c461bc9db4c10a940c
SHA512aaba48de49eb6fef60ec38e3f9f7ec3b4fc5962ff95259c9362afd01a30c6d290475b4c9c4dc5ba442de106ad4bde38d28768caf3f6aaf309e613cc115711dd1
-
Filesize
1KB
MD5924694e208642d4d8a4c7e0f0cba0de1
SHA187e9496a918036c3e3902f125b95a47e38548828
SHA2568de0bab59a9fe15f312e81a373382ed992ce5110deb3813f663b92cfc5eae0b6
SHA512ef3cfc08df53777f13fb51fdc0269f6f686c0df57c4dd72f395dc53d1d8ef2b08e33c3601507a45c3cc31a25b70ebf365d0fa93db64e1e851173216a45c49c2c