Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 04:00

General

  • Target

    Solar/locales/cs.pak

  • Size

    572KB

  • MD5

    2d09d3ec0ea3db04075bada679ead06a

  • SHA1

    c0890988ff6386566e30854acfc6ac43e1af85f1

  • SHA256

    e1dbf1409f09b14fca2f4acc702c1bfc13c69cf9ff503278457a15ca08e2799a

  • SHA512

    b2a5aa0399f6c0506ea3105edff2ecfeb0647cdc8dfb460291ccdcdd50380075e1e869a36f63af150f27aa77916f378375eaa217092bc89534c1742eb839c8a4

  • SSDEEP

    6144:EqTUqwuqZ0inoARQ0nDA+AO5mDzr4/DNOOAzSBAmPy68QDsU:EWC6ooAeA55mDzr4/DNOrzS+mPr

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    2ddee545971162f7f01961e331e37654

    SHA1

    a484057634557cfe3c6f7d1a6f86938327bf103e

    SHA256

    f4c32f480a5a18a217b64faed46a81eda2e22fee6e30bd5450a8b3eaa8874a1e

    SHA512

    3e5084f03ed78ca00591d9504b719c6175b9aa7e3bb3668c0ce999ae122247168a7f83e671826a632d55064d9948734fb12a22922f5c5cda77efb23cc308241c