Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
SolaraBootstrapper.exe
-
Size
969KB
-
MD5
b8a07270ae910250a280a14eee35b80f
-
SHA1
c4c4a15fb067d11324c028cb36fbd4cb04cb26ce
-
SHA256
49a4a4641cbffaafce34a35cd4c74d486935db28906fc4acd71400f26d853cd0
-
SHA512
c1fda7adb3324c3e697124520b50d852a1e7b3d238d2f7fb23311c4767de3babc6a4653f901e91a4d4fdf6fde3c464b0299a3b986875fb38dad16d036c3020b2
-
SSDEEP
24576:zYmtbhG5rt/PmeggdP8/L52miMaCn5FNF:bkxt/OeZP8/NDiMLTN
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
pid Process 1472 SolaraBootstrapper.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1472 set thread context of 4936 1472 SolaraBootstrapper.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4936 MSBuild.exe 448 msedge.exe 448 msedge.exe 5260 msedge.exe 5260 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 4936 MSBuild.exe Token: SeSecurityPrivilege 4936 MSBuild.exe Token: SeSecurityPrivilege 4936 MSBuild.exe Token: SeSecurityPrivilege 4936 MSBuild.exe Token: SeSecurityPrivilege 4936 MSBuild.exe Token: SeDebugPrivilege 4936 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 1472 wrote to memory of 4936 1472 SolaraBootstrapper.exe 86 PID 3048 wrote to memory of 1472 3048 msedge.exe 109 PID 3048 wrote to memory of 1472 3048 msedge.exe 109 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 3176 3048 msedge.exe 110 PID 3048 wrote to memory of 448 3048 msedge.exe 111 PID 3048 wrote to memory of 448 3048 msedge.exe 111 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112 PID 3048 wrote to memory of 3236 3048 msedge.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault82601646hb7a5h4110hade5hf2e7b86b27341⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xac,0x128,0x7ff9d15146f8,0x7ff9d1514708,0x7ff9d15147182⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17478203683573746328,7005601983483700073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17478203683573746328,7005601983483700073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17478203683573746328,7005601983483700073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3044 /prefetch:82⤵PID:3236
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb61fa5d7h665eh4876h8534hbfd23d6009091⤵PID:5984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d15146f8,0x7ff9d1514708,0x7ff9d15147182⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17258661120494305881,17066108566995628726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17258661120494305881,17066108566995628726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17258661120494305881,17066108566995628726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:5280
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1168
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
5KB
MD52476f4a951da707e517f21ffe7324ff5
SHA16218614bd3b2b2d1e0184110e1893d9fa6e0d415
SHA2568a7d431228905aaf254fc60123c936fd8fe2ed9aacbe4fe6aefdf73bccd00678
SHA51241c2f72e4ab46911b4107c140c024e9986632281abebd9212072e24013f07e64a9057e6e90d7079ac93fbe3e62fd83b992eb02734d5de8786018ac5907cc23ff
-
Filesize
347B
MD5c2af6463d16368ce18d90fcf15e7e607
SHA1f4fd2039db8caa05ac4471794620f3017b61f152
SHA25608036732fa0d611041e4ee472efde0d0ce6c7a3aed9561834cbbac440845a71e
SHA512c4ec4812341b3286659cdb330a4b1a448634edc721cf8377a329af15650e36fc0f05b9eaf5841a0a1c39861b54f6b6633e153e8b5187b8a42acf1ef0dbf8ebc9
-
Filesize
323B
MD5f6fb6b77470a8db6a19046a0eccab340
SHA13a11c15f778bdf0aa431077bdc7d39edc804ee33
SHA25609b38f022051cfc740c2a07c2a33d8388f4fc452323ec75fb36686249ca72a7c
SHA5125e9638d901924f016d6f8194c4379ecefca56e0b321caec78be72151ec366bdb9087642f6829c10c445bc1328e9dd95043f488a8db9b6d580c94600356ab9c10
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD58d1bb690059315b209c7c280967e31f3
SHA1eb10c65414258b3d195e31669aa52537ccd3985c
SHA2560143a3aad1be5e2d9df86074224d721df49887e22e6e5025fa0a9ba6d4ef73bf
SHA5120ccaf6405a94bf85ec44f9adaff1541f8de57544d0280b17d1f6f490a8d5ba77001a3dd362a87035e76f5d9e9e6c37ad3a680f66c9c93468d0f85eb138693c11
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.2MB
MD57c5d02c92dab64e27974e0f42a4711ab
SHA1df39c4b9d2425a776696fb6b2409dd06caecd851
SHA256d2ca01c8ed8eba30cdbdcf418653c8ac367a7e088234bc99a8d75ed5eda64195
SHA512f2ed615490c3736852c55bd9cdd36cdbab23fc0eec9c05d418c0f5933403eb490accba6a749aa31be283c13a896c318c03fee7a4874460051ad7e0c75157d233