Analysis
-
max time kernel
30s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 01:00
Behavioral task
behavioral1
Sample
Solaraً/Bootstrapperً.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Solaraً/Bootstrapperً.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Solaraً/bin/api.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Solaraً/bin/api.dll
Resource
win10v2004-20240802-en
General
-
Target
Solaraً/Bootstrapperً.exe
-
Size
502KB
-
MD5
7461b0c49f96d52fe0b2c0176e0aa275
-
SHA1
24116687fc970ffc24239838d61f294ff4c2b041
-
SHA256
4df54a234bc14ecd805d807271895be6e3115206a9a07dbc2d3c9fb9567b99b9
-
SHA512
76502a5b1f7e2243e6fcc969c7121694bffc7e5039c0f5a257eddd9aca744acf17a819c4a48fdb29fedf51e5a70e1929c81895e08e5afff2e21006590af3a5ce
-
SSDEEP
12288:0gUgsiwptTLgEiBKWaAEmGQL7/yg/cKTlLolg+:QFptTWBKFAEmGQLugECx
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bootstrapperً.exedescription pid process target process PID 2472 set thread context of 5096 2472 Bootstrapperً.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bootstrapperً.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapperً.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 5096 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegAsm.exedescription pid process Token: SeBackupPrivilege 5096 RegAsm.exe Token: SeSecurityPrivilege 5096 RegAsm.exe Token: SeSecurityPrivilege 5096 RegAsm.exe Token: SeSecurityPrivilege 5096 RegAsm.exe Token: SeSecurityPrivilege 5096 RegAsm.exe Token: SeDebugPrivilege 5096 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Bootstrapperً.exedescription pid process target process PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe PID 2472 wrote to memory of 5096 2472 Bootstrapperً.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solaraً\Bootstrapperً.exe"C:\Users\Admin\AppData\Local\Temp\Solaraً\Bootstrapperً.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096