Overview

overview

9

Static

static

7

SolarisLoader.exe

windows7-x64

9

SolarisLoader.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    35s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SolarisLoader.exe

  • Size

    3.2MB

  • MD5

    0bcad67b64ad0450bb0493cb9c843763

  • SHA1

    f1bd479efbba27a2207376e4dee75e50a8d7894e

  • SHA256

    05e7c6e07e56087211ed50e79587181f8ca0d0195f130d2d5e15e90931708665

  • SHA512

    1fbea4edc275b25e99c4a27c228085d2fe937afe942300b487fd2be0e91b218c57b6e3036e4f98e3c1536209cf604d84308dbd46302eb92a5e2b1affdaa0e15b

  • SSDEEP

    98304:wsmjK0LZDp9Sj4AUvrCP/ybS+YsVQ/B0:+GkL9Frw/c6iQ

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolarisLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\SolarisLoader.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\Documents\SolarisUpdated\SolarisUpdated.exe
      "C:\Users\Admin\Documents\SolarisUpdated\SolarisUpdated.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\SolarisUpdated\Solaris V5.deps.json
    Filesize

    422B

    MD5

    1a64e8c4c6778c5a9555c666594e8cd7

    SHA1

    f7307850bb4ee2720d0e34ce1b2d6265ce9bef06

    SHA256

    7bce2c549b2edc6885c68f334621df12665afb7e364ec120adf3782ac40c877b

    SHA512

    564e66e91b6caa88b45a20effd1dc6ec12dd485497f398705a98301bd8f76e070bfd68859f4de9f62537399507c154200545991f8d5bb18784c0b406514d4154

    Download Submit

  • C:\Users\Admin\Documents\SolarisUpdated\Solaris V5.dll
    Filesize

    865KB

    MD5

    a656e53763e90f256d7fde2b7c110feb

    SHA1

    f2f196344a7dde1667d0fae52c1f71ad1e7390ca

    SHA256

    434beed70d8649f2b9de5ae74b453f0c5f9eef007d786a792d8896123b8ba6a4

    SHA512

    f7713f30b053e9e6f2e4a426dfc50de330bea62590b4f99b3e03e261ff101150c4493d13cc539f0d20e6d1a97edfdcfabcc23f6330ab2f24cd5a367a777fac2c

    Download Submit

  • C:\Users\Admin\Documents\SolarisUpdated\Solaris V5.runtimeconfig.json
    Filesize

    386B

    MD5

    186a65581e2f29258f54d396660409fa

    SHA1

    6f998d3be2e85cb5419205f867135874f27c0a3a

    SHA256

    e1e0974d0e8833375024eb7c78521b3b5cad4228aad22b23d506cbe702445844

    SHA512

    7dea87b523aab01ea3c794779b71bc0b52179e1d5e7b9a45539ddd39c775969ef22853c4c193699aec1e3fa3cbe26e90e3a4881226c52a3aacae1eac260ff896

    Download Submit

  • C:\Users\Admin\Documents\SolarisUpdated\SolarisUpdated.exe
    Filesize

    3.4MB

    MD5

    e59e77c621c33efec47b70e44060f4ae

    SHA1

    ec75e527036b1120708e383ec48c078ea0218f41

    SHA256

    7859db9fc6737cb88fcee86db323108dac51c963da28cbee2fd75bb22ea3cdc8

    SHA512

    dce3e3c8449b66cb5819f3973fb983f4a33ff7e49ed399c126d4240279a4d07fc2709f030ee9334a9de2d7140abe6c64f9be7b34a3940a8a7558f5db6875cfeb

    Download Submit

  • memory/736-190-0x00007FF6BED60000-0x00007FF6BF6C9000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/736-186-0x00007FF6BED60000-0x00007FF6BF6C9000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/736-183-0x00007FF6BED60000-0x00007FF6BF6C9000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/736-184-0x00007FF6BED60000-0x00007FF6BF6C9000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/736-179-0x00007FFF60ED0000-0x00007FFF60ED2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/736-178-0x00007FF6BED60000-0x00007FF6BF6C9000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/1236-8-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-9-0x0000000000A50000-0x000000000130E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1236-12-0x0000000000A50000-0x000000000130E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1236-13-0x0000000076930000-0x0000000076931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-15-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-14-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-16-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-17-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-19-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-21-0x0000000006810000-0x0000000006822000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1236-10-0x0000000000A50000-0x000000000130E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1236-11-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1236-0-0x0000000000A50000-0x000000000130E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1236-7-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-5-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-185-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-182-0x0000000000A50000-0x000000000130E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1236-6-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-3-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-4-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-2-0x0000000076910000-0x0000000076A00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1236-1-0x0000000076930000-0x0000000076931000-memory.dmp

    Filesize

    4KB

    Download