Resubmissions

25-08-2024 22:59

240825-2yjmeasakk 7

25-08-2024 22:53

240825-2t8qqs1gmp 7

Analysis

  • max time kernel
    12s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-08-2024 22:53

General

  • Target

    BootstrapperSolara.exe

  • Size

    961KB

  • MD5

    fa965ef7dad222010cb3185768dddf72

  • SHA1

    64ea311586210eee0741f4e94f51c66a3e99dbf2

  • SHA256

    7851e924f810dab1284813a043f4e41f52306cb919085f0afc3a17b32c7da450

  • SHA512

    59057559c2a776660395a0a1d0ce67d3a7157b367f654b79f36c46df12c829a0c61a43718b57e5c1490367b6264202c9411e3d3fa74e58c59f05851abb5b6a61

  • SSDEEP

    12288:u0EgdoJsmwgZXgV7BqUURLBCt3KpOJE+sm93hW2FZm4sPMaJhf6ozg+GQm8gXags:6gyJs2QV0UURdCt3LJrhePMN

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperSolara.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperSolara.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.0.733894132\788842340" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a44ad7-c45e-44d7-bbf8-592eded2deaa} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 1796 233535d5d58 gpu
        3⤵
          PID:3464
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.1.330399325\507791651" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952a3467-0133-49c9-92a6-153dba2ec74b} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 2152 233534f9258 socket
          3⤵
            PID:2820
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.2.2066577743\454859429" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2724 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {400f1f6b-705f-4c8f-b14b-699bc285c2c1} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 2744 2335779f858 tab
            3⤵
              PID:2344
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.3.2040662128\1800026385" -childID 2 -isForBrowser -prefsHandle 3328 -prefMapHandle 3320 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10dc1c44-dbc1-4ac3-bf98-d75370cbde42} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 3336 23341272e58 tab
              3⤵
                PID:2400
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.4.1132145575\862740739" -childID 3 -isForBrowser -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec919e8d-4d8b-42e0-94f2-7b1bce9abdcd} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 4412 23359a6dd58 tab
                3⤵
                  PID:980
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.5.1454078820\875009769" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67eb873d-6377-4634-9b2d-f700b62f6074} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 4920 23359c28a58 tab
                  3⤵
                    PID:1744
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.6.495621573\1841488335" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88039c9b-ec0e-4b56-b84d-ad8f2ca1d056} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5040 23359d05358 tab
                    3⤵
                      PID:4616
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.7.286616333\1465619261" -childID 6 -isForBrowser -prefsHandle 4936 -prefMapHandle 5036 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0af8b32a-032b-464c-9eaf-b9498d21a64a} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5148 23359d05658 tab
                      3⤵
                        PID:620

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    6e85156b611360274e32e51263428d6c

                    SHA1

                    a37eb50d06f1172a0acf9958a17646718866bc42

                    SHA256

                    0e3515504bb59261429598db25dfc986d9f09991f2ba5bcbcc6345447adcbfbb

                    SHA512

                    8a50a50d0833cea453807e442d124d6fed905e11204e0570842e06fcef8fbadf48b692b49ef97c56b143c7b3a06c066b1bba6ac5b3fb8f826031ccd577f1b3ad

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\3dd5a3cd-e65d-4d26-abe7-aa0f865ade93

                    Filesize

                    746B

                    MD5

                    26a1b31d4ddfcfed6a973b013db18413

                    SHA1

                    c1ec522596a466e40abd7a8744c3b666b4593551

                    SHA256

                    91bf0f08ddb200745e1db29d025dd447b02e3a86e872f2e3b2adcce144558fa8

                    SHA512

                    4af9a8a6c2f3618ab97fac47a46f64a54a3ca45f381f043bf5b28eaefc1b098d51be7ef38dca6a9115a3441dd32c971bd3423d822c7d8d393675aa49ec982708

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\477c2802-cfe1-4930-876e-913511266238

                    Filesize

                    11KB

                    MD5

                    42bac29012329ef73836ecb9a9e85747

                    SHA1

                    6fdfcb24cec4495a7a93200159e46bfcd463d344

                    SHA256

                    8a86504ad6451683a832f6eee059da4fb040ac20d6d3d6bea248bb134ca46c17

                    SHA512

                    7756b3e663276aa6fed75d0bf01fb12daf6d16567fe27c7a846c1de5f3022ccfe77268c5413e763da986e589d1b8eec3ef6b3ee2e7de394301713d726abe8b01

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    dcefe79fd0bdd5f5963484983c88af19

                    SHA1

                    3152d059260003da559c36c4530206245ccce5bb

                    SHA256

                    ca9ffd2a026f2ea225b08344f52fbef9c33b13329705dd4f3401d7373385f380

                    SHA512

                    1830eec7037dea8d93463d063a22666fbbabc9cebce37b1205f2d1b5da43d36a7190fce3a63107a4dcb4cfe9e1f5d712733bec93acb3e9025703841d27dce751

                  • \Users\Admin\AppData\Roaming\d3d9x.dll

                    Filesize

                    1.2MB

                    MD5

                    ee8f4d53a63875270bc1c0a28d791148

                    SHA1

                    963c75a3c698f536e32620f507bb607cbe7af72f

                    SHA256

                    8831023784ad6d17c0ac4f550f21e95699bc54da6a79a08c079852465fea5023

                    SHA512

                    43c4b8ffffe8169d7f773426f202a5aa136ca8a57b5d3f8b8a2467ab118cce149b944f405ca5d904d677e74069519ded4115f8a8629c2e59570bae01dad94972

                  • memory/3728-21-0x00000000084F0000-0x000000000852E000-memory.dmp

                    Filesize

                    248KB

                  • memory/3728-20-0x0000000008490000-0x00000000084A2000-memory.dmp

                    Filesize

                    72KB

                  • memory/3728-109-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/3728-14-0x00000000058F0000-0x0000000005DEE000-memory.dmp

                    Filesize

                    5.0MB

                  • memory/3728-15-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/3728-16-0x0000000005510000-0x00000000055A2000-memory.dmp

                    Filesize

                    584KB

                  • memory/3728-17-0x00000000054A0000-0x00000000054AA000-memory.dmp

                    Filesize

                    40KB

                  • memory/3728-18-0x00000000089D0000-0x0000000008FD6000-memory.dmp

                    Filesize

                    6.0MB

                  • memory/3728-19-0x0000000008560000-0x000000000866A000-memory.dmp

                    Filesize

                    1.0MB

                  • memory/3728-13-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/3728-9-0x0000000000400000-0x00000000004FA000-memory.dmp

                    Filesize

                    1000KB

                  • memory/3728-22-0x0000000008670000-0x00000000086BB000-memory.dmp

                    Filesize

                    300KB

                  • memory/3728-23-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/4664-11-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/4664-0-0x0000000073C6E000-0x0000000073C6F000-memory.dmp

                    Filesize

                    4KB

                  • memory/4664-4-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/4664-12-0x0000000073C60000-0x000000007434E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/4664-1-0x0000000000A70000-0x0000000000B66000-memory.dmp

                    Filesize

                    984KB