Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 22:34
Behavioral task
behavioral1
Sample
Solara/SolaraBootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Solara/bin/api.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Solara/bin/api.dll
Resource
win10v2004-20240802-en
General
-
Target
Solara/SolaraBootstrapper.exe
-
Size
309KB
-
MD5
becc7a2510958905e91572f6259079fc
-
SHA1
885ef041f4f6c37a68752f246fc70a7b440e4d64
-
SHA256
2b424e128aaaa7ea88e6076e72516d60e149a6cfe20e861191e261b4bcd743d9
-
SHA512
cbfa0892764a588d4837d7c1c37407c5999bcadc6770a0885e54493457fff8b256a19af2bd6e08e7e042f67bb6b1f3c63a21e71c47af33b463f1a7863725ad01
-
SSDEEP
6144:YTxVlfJeX2+LOO1EuN1o1j0v2fA9LnH9niSr5QR0ZyeIxYhH9XDQc4/Q:YTblfJemsOONOj03UO5y0ZUxu9
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2376-4-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SolaraBootstrapper.exedescription pid process target process PID 4504 set thread context of 2376 4504 SolaraBootstrapper.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SolaraBootstrapper.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133706541666375961" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RegAsm.exepid process 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2376 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SolaraBootstrapper.exedescription pid process target process PID 4504 wrote to memory of 4568 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 4568 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 4568 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe PID 4504 wrote to memory of 2376 4504 SolaraBootstrapper.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:81⤵PID:740
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff94686cc40,0x7ff94686cc4c,0x7ff94686cc582⤵PID:4880
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:3524
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2052 /prefetch:32⤵PID:1548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:82⤵PID:4012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --field-trial-handle=3152,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --field-trial-handle=3192,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:1892
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --field-trial-handle=4484,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4508 /prefetch:12⤵PID:3012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:82⤵PID:4728
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5092 /prefetch:82⤵PID:3472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=4840,i,14134138901927459285,472665116768173383,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:1256
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:60
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD508ec57068db9971e917b9046f90d0e49
SHA128b80d73a861f88735d89e301fa98f2ae502e94b
SHA2567a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf
-
Filesize
1KB
MD59da29d5bf33f9a98ac4565011b7e7409
SHA1494fba72b4cdef5e332947ab80efd61853ff8d03
SHA256fb729f6ac7d434695eff6173ce78f6a015b66c2cbda881eaa7e222b5a13410c7
SHA512a0493b787591fd72079fb0cf6cb0cbd4ceb3794ada75dbdbf0c28fb40cab0ba4f960c496e4253bf2dc9ceb05a53fa10f224f08ea66352b302f0714252bb6fd89
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5dd3dbc3f574b0a63b412cfaae86d634b
SHA1b29d699b98c41bcc42cbcbf2923751ce557e1641
SHA256de04bb0eb1c9e94f33aeeb33e533fde0d5b5b0d292a66d27e15c7eee4dbac921
SHA512263326dc2d72cd12139cef6f58401fcab8eebe2ae348f49ec0c0cbd92d4994c53cbd6af4a89ab8bf10e7d78e4a5f15a3227dec652c4b64098a7fb5b041c3e01a
-
Filesize
354B
MD52c9a56a5912c79be5875a209d10c199d
SHA1357a2901aaaabfd77fc2433c0fbeca85acd3fc83
SHA256893a98b629b10d272cb5081b51dd2b631d2d5cc942d3c383ba25ba440f001936
SHA5129105d66096ee18a4cf82d4e1a80a307f4a146dddfb1fa8ca3175558061299fdfeb8521dbb87d7e55773756850c7d540c873256d10829a92151d4e47c588eee16
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e