Analysis
-
max time kernel
12s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-08-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
BootstrapperSolara.exe
Resource
win10-20240404-en
General
-
Target
BootstrapperSolara.exe
-
Size
961KB
-
MD5
fa965ef7dad222010cb3185768dddf72
-
SHA1
64ea311586210eee0741f4e94f51c66a3e99dbf2
-
SHA256
7851e924f810dab1284813a043f4e41f52306cb919085f0afc3a17b32c7da450
-
SHA512
59057559c2a776660395a0a1d0ce67d3a7157b367f654b79f36c46df12c829a0c61a43718b57e5c1490367b6264202c9411e3d3fa74e58c59f05851abb5b6a61
-
SSDEEP
12288:u0EgdoJsmwgZXgV7BqUURLBCt3KpOJE+sm93hW2FZm4sPMaJhf6ozg+GQm8gXags:6gyJs2QV0UURdCt3LJrhePMN
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4664 BootstrapperSolara.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4664 set thread context of 3728 4664 BootstrapperSolara.exe 74 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperSolara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeBackupPrivilege 3728 MSBuild.exe Token: SeSecurityPrivilege 3728 MSBuild.exe Token: SeSecurityPrivilege 3728 MSBuild.exe Token: SeSecurityPrivilege 3728 MSBuild.exe Token: SeSecurityPrivilege 3728 MSBuild.exe Token: SeDebugPrivilege 1752 firefox.exe Token: SeDebugPrivilege 1752 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1752 firefox.exe 1752 firefox.exe 1752 firefox.exe 1752 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1752 firefox.exe 1752 firefox.exe 1752 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1752 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 4664 wrote to memory of 3728 4664 BootstrapperSolara.exe 74 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 3716 wrote to memory of 1752 3716 firefox.exe 77 PID 1752 wrote to memory of 3464 1752 firefox.exe 78 PID 1752 wrote to memory of 3464 1752 firefox.exe 78 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 PID 1752 wrote to memory of 2820 1752 firefox.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperSolara.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperSolara.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.0.733894132\788842340" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a44ad7-c45e-44d7-bbf8-592eded2deaa} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 1796 233535d5d58 gpu3⤵PID:3464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.1.330399325\507791651" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952a3467-0133-49c9-92a6-153dba2ec74b} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 2152 233534f9258 socket3⤵PID:2820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.2.2066577743\454859429" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2724 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {400f1f6b-705f-4c8f-b14b-699bc285c2c1} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 2744 2335779f858 tab3⤵PID:2344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.3.2040662128\1800026385" -childID 2 -isForBrowser -prefsHandle 3328 -prefMapHandle 3320 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10dc1c44-dbc1-4ac3-bf98-d75370cbde42} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 3336 23341272e58 tab3⤵PID:2400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.4.1132145575\862740739" -childID 3 -isForBrowser -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec919e8d-4d8b-42e0-94f2-7b1bce9abdcd} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 4412 23359a6dd58 tab3⤵PID:980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.5.1454078820\875009769" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67eb873d-6377-4634-9b2d-f700b62f6074} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 4920 23359c28a58 tab3⤵PID:1744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.6.495621573\1841488335" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88039c9b-ec0e-4b56-b84d-ad8f2ca1d056} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5040 23359d05358 tab3⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.7.286616333\1465619261" -childID 6 -isForBrowser -prefsHandle 4936 -prefMapHandle 5036 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0af8b32a-032b-464c-9eaf-b9498d21a64a} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5148 23359d05658 tab3⤵PID:620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD56e85156b611360274e32e51263428d6c
SHA1a37eb50d06f1172a0acf9958a17646718866bc42
SHA2560e3515504bb59261429598db25dfc986d9f09991f2ba5bcbcc6345447adcbfbb
SHA5128a50a50d0833cea453807e442d124d6fed905e11204e0570842e06fcef8fbadf48b692b49ef97c56b143c7b3a06c066b1bba6ac5b3fb8f826031ccd577f1b3ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\3dd5a3cd-e65d-4d26-abe7-aa0f865ade93
Filesize746B
MD526a1b31d4ddfcfed6a973b013db18413
SHA1c1ec522596a466e40abd7a8744c3b666b4593551
SHA25691bf0f08ddb200745e1db29d025dd447b02e3a86e872f2e3b2adcce144558fa8
SHA5124af9a8a6c2f3618ab97fac47a46f64a54a3ca45f381f043bf5b28eaefc1b098d51be7ef38dca6a9115a3441dd32c971bd3423d822c7d8d393675aa49ec982708
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\477c2802-cfe1-4930-876e-913511266238
Filesize11KB
MD542bac29012329ef73836ecb9a9e85747
SHA16fdfcb24cec4495a7a93200159e46bfcd463d344
SHA2568a86504ad6451683a832f6eee059da4fb040ac20d6d3d6bea248bb134ca46c17
SHA5127756b3e663276aa6fed75d0bf01fb12daf6d16567fe27c7a846c1de5f3022ccfe77268c5413e763da986e589d1b8eec3ef6b3ee2e7de394301713d726abe8b01
-
Filesize
6KB
MD5dcefe79fd0bdd5f5963484983c88af19
SHA13152d059260003da559c36c4530206245ccce5bb
SHA256ca9ffd2a026f2ea225b08344f52fbef9c33b13329705dd4f3401d7373385f380
SHA5121830eec7037dea8d93463d063a22666fbbabc9cebce37b1205f2d1b5da43d36a7190fce3a63107a4dcb4cfe9e1f5d712733bec93acb3e9025703841d27dce751
-
Filesize
1.2MB
MD5ee8f4d53a63875270bc1c0a28d791148
SHA1963c75a3c698f536e32620f507bb607cbe7af72f
SHA2568831023784ad6d17c0ac4f550f21e95699bc54da6a79a08c079852465fea5023
SHA51243c4b8ffffe8169d7f773426f202a5aa136ca8a57b5d3f8b8a2467ab118cce149b944f405ca5d904d677e74069519ded4115f8a8629c2e59570bae01dad94972