Analysis
-
max time kernel
192s -
max time network
196s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-08-2024 08:06
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win10-20240404-en
General
-
Target
Solara.exe
-
Size
81.2MB
-
MD5
10d3cf93e2763c12e2cb1861157bd11c
-
SHA1
3a2995e034de83a7a2007809d62898ff361135f8
-
SHA256
9edec2d7604cd19e991c680524d372e23b6a56452b2c93b7a9ef45bbedaf47c6
-
SHA512
c2ef4c4f63f5f47201daa7f9db8923e125297a86bbf93e8f355587a8c8febca60e689bb483de496441cc1d0ac6e65067c9eae696d6e575b4b32e21915e6ca5d4
-
SSDEEP
1572864:YvxZQglPWjg7vaSk8IpG7V+VPhqHDE7jblgA7iYgj+h58sMw2IrD2:YvxZx9heSkB05awHaeA151
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 2 IoCs
Processes:
Solara.exedescription ioc Process File opened (read-only) C:\windows\system32\vboxhook.dll Solara.exe File opened (read-only) C:\windows\system32\vboxmrxnp.dll Solara.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
Solara.exepid Process 3660 Solara.exe -
Loads dropped DLL 64 IoCs
Processes:
Solara.exepid Process 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe -
Processes:
resource yara_rule behavioral1/files/0x000700000001be92-1303.dat upx behavioral1/memory/4980-1307-0x00007FFBF40D0000-0x00007FFBF46B8000-memory.dmp upx behavioral1/files/0x000700000001accf-1309.dat upx behavioral1/memory/4980-1317-0x00007FFBF8160000-0x00007FFBF816F000-memory.dmp upx behavioral1/files/0x000700000001b0e6-1316.dat upx behavioral1/memory/4980-1315-0x00007FFBF7CD0000-0x00007FFBF7CF4000-memory.dmp upx behavioral1/files/0x000700000001accd-1318.dat upx behavioral1/memory/4980-1320-0x00007FFBF7E10000-0x00007FFBF7E29000-memory.dmp upx behavioral1/files/0x000700000001acd3-1321.dat upx behavioral1/memory/4980-1323-0x00007FFBF7CA0000-0x00007FFBF7CCD000-memory.dmp upx behavioral1/files/0x000700000001b0e8-1368.dat upx behavioral1/files/0x000700000001b0e9-1369.dat upx behavioral1/files/0x000700000001b0e7-1367.dat upx behavioral1/files/0x000700000001b0e5-1366.dat upx behavioral1/files/0x000700000001b0de-1365.dat upx behavioral1/memory/4980-1370-0x00007FFBF56B0000-0x00007FFBF56C4000-memory.dmp upx behavioral1/memory/4980-1371-0x00007FFBE55E0000-0x00007FFBE5955000-memory.dmp upx behavioral1/memory/4980-1372-0x00007FFBF55E0000-0x00007FFBF55F9000-memory.dmp upx behavioral1/memory/4980-1373-0x00007FFBF7C90000-0x00007FFBF7C9D000-memory.dmp upx behavioral1/memory/4980-1374-0x00007FFBF55B0000-0x00007FFBF55DE000-memory.dmp upx behavioral1/memory/4980-1377-0x00007FFBF53C0000-0x00007FFBF5478000-memory.dmp upx behavioral1/memory/4980-1378-0x00007FFBF56A0000-0x00007FFBF56AD000-memory.dmp upx behavioral1/memory/4980-1376-0x00007FFBF7CD0000-0x00007FFBF7CF4000-memory.dmp upx behavioral1/memory/4980-1375-0x00007FFBF40D0000-0x00007FFBF46B8000-memory.dmp upx behavioral1/memory/4980-1379-0x00007FFBF55A0000-0x00007FFBF55AB000-memory.dmp upx behavioral1/memory/4980-1381-0x00007FFBF5390000-0x00007FFBF53B6000-memory.dmp upx behavioral1/memory/4980-1380-0x00007FFBF7E10000-0x00007FFBF7E29000-memory.dmp upx behavioral1/memory/4980-1382-0x00007FFBF30F0000-0x00007FFBF320C000-memory.dmp upx behavioral1/memory/4980-1384-0x00007FFBF3260000-0x00007FFBF3296000-memory.dmp upx behavioral1/memory/4980-1383-0x00007FFBF56B0000-0x00007FFBF56C4000-memory.dmp upx behavioral1/memory/4980-1391-0x00007FFBF55E0000-0x00007FFBF55F9000-memory.dmp upx behavioral1/memory/4980-1390-0x00007FFBF40B0000-0x00007FFBF40BB000-memory.dmp upx behavioral1/memory/4980-1389-0x00007FFBF3E10000-0x00007FFBF3E1C000-memory.dmp upx behavioral1/memory/4980-1395-0x00007FFBF30C0000-0x00007FFBF30CE000-memory.dmp upx behavioral1/memory/4980-1396-0x00007FFBF55B0000-0x00007FFBF55DE000-memory.dmp upx behavioral1/memory/4980-1394-0x00007FFBF30D0000-0x00007FFBF30DC000-memory.dmp upx behavioral1/memory/4980-1393-0x00007FFBF30E0000-0x00007FFBF30EC000-memory.dmp upx behavioral1/memory/4980-1392-0x00007FFBF3250000-0x00007FFBF325B000-memory.dmp upx behavioral1/memory/4980-1388-0x00007FFBF4060000-0x00007FFBF406B000-memory.dmp upx behavioral1/memory/4980-1387-0x00007FFBF40A0000-0x00007FFBF40AC000-memory.dmp upx behavioral1/memory/4980-1386-0x00007FFBF40C0000-0x00007FFBF40CB000-memory.dmp upx behavioral1/memory/4980-1385-0x00007FFBE55E0000-0x00007FFBE5955000-memory.dmp upx behavioral1/memory/4980-1401-0x00007FFBF3090000-0x00007FFBF309B000-memory.dmp upx behavioral1/memory/4980-1400-0x00007FFBF3040000-0x00007FFBF304C000-memory.dmp upx behavioral1/memory/4980-1399-0x00007FFBF30A0000-0x00007FFBF30AB000-memory.dmp upx behavioral1/memory/4980-1398-0x00007FFBF30B0000-0x00007FFBF30BC000-memory.dmp upx behavioral1/memory/4980-1397-0x00007FFBF53C0000-0x00007FFBF5478000-memory.dmp upx behavioral1/memory/4980-1402-0x00007FFBF3030000-0x00007FFBF303C000-memory.dmp upx behavioral1/memory/4980-1404-0x00007FFBF3020000-0x00007FFBF302D000-memory.dmp upx behavioral1/memory/4980-1403-0x00007FFBF5390000-0x00007FFBF53B6000-memory.dmp upx behavioral1/memory/4980-1408-0x00007FFBF3260000-0x00007FFBF3296000-memory.dmp upx behavioral1/memory/4980-1407-0x00007FFBF3010000-0x00007FFBF301C000-memory.dmp upx behavioral1/memory/4980-1406-0x00007FFBF2DF0000-0x00007FFBF2E02000-memory.dmp upx behavioral1/memory/4980-1405-0x00007FFBF30F0000-0x00007FFBF320C000-memory.dmp upx behavioral1/memory/4980-1409-0x00007FFBF2DD0000-0x00007FFBF2DE5000-memory.dmp upx behavioral1/memory/4980-1410-0x00007FFBF2DB0000-0x00007FFBF2DC2000-memory.dmp upx behavioral1/memory/4980-1411-0x00007FFBF2D90000-0x00007FFBF2DA4000-memory.dmp upx behavioral1/memory/4980-1412-0x00007FFBF2D60000-0x00007FFBF2D82000-memory.dmp upx behavioral1/memory/4980-1413-0x00007FFBF2D40000-0x00007FFBF2D57000-memory.dmp upx behavioral1/memory/4980-1414-0x00007FFBF2D20000-0x00007FFBF2D39000-memory.dmp upx behavioral1/memory/4980-1415-0x00007FFBF2CD0000-0x00007FFBF2D1D000-memory.dmp upx behavioral1/memory/4980-1417-0x00007FFBF2CB0000-0x00007FFBF2CC1000-memory.dmp upx behavioral1/memory/4980-1416-0x00007FFBF3020000-0x00007FFBF302D000-memory.dmp upx behavioral1/memory/4980-1418-0x00007FFBF2F30000-0x00007FFBF2F3A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Solara.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara.exe = "C:\\Users\\Admin\\Solara.exe\\Solara.exe" Solara.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Windows\INF\netsstpa.PNF svchost.exe File created C:\Windows\INF\netrasa.PNF svchost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEfirefox.exefirefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEchrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1272 taskkill.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685286273565180" chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 4420 WINWORD.EXE 4420 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Solara.exepowershell.exechrome.exepid Process 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4980 Solara.exe 4860 powershell.exe 4860 powershell.exe 4860 powershell.exe 4224 chrome.exe 4224 chrome.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid Process 4