Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240729-en
General
-
Target
Solara.exe
-
Size
1.4MB
-
MD5
8c6298202dd74e77b238f50a26a07233
-
SHA1
6d71bb75a517e873a16398330dcda437cde26e6d
-
SHA256
7cc4643e4b4a49820cb461ef005e129363c3336b9d28dde1aa397b7118f709f0
-
SHA512
7856dee0adb985ef521e2c7ff7a1ffeb9b39f18743e2c18ad9cd3f6f9b87a70a1f9fde108492b8362b67910e82c9c18be57af65f8f2c5d90ed5494873ede96b1
-
SSDEEP
24576:j6F4Df9Gpethg/Md+54x8C2p1ywbxpPzgXSX+O0b33fzEhsx7wHJL08b1YLl5wmr:j6FKf9Gwhg/++W6bp1rbxpPzJLu38sxl
Malware Config
Extracted
meduza
127.0.0.1
Signatures
-
Meduza Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4108-6-0x0000000140000000-0x0000000140103000-memory.dmp family_meduza behavioral2/memory/4108-9-0x0000000140000000-0x0000000140103000-memory.dmp family_meduza behavioral2/memory/4108-3-0x0000000140000000-0x0000000140103000-memory.dmp family_meduza behavioral2/memory/4108-5-0x0000000140000000-0x0000000140103000-memory.dmp family_meduza -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Solara.exe -
Loads dropped DLL 1 IoCs
pid Process 2996 Solara.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2996 set thread context of 4108 2996 Solara.exe 82 -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\a.exe:extractor.dll Solara.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82 PID 2996 wrote to memory of 4108 2996 Solara.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"2⤵
- Checks computer location settings
PID:4108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56450ffb674f57086f4630e8485286fa5
SHA142083caa94735205dac5858d3953f0066b880881
SHA256db8ee06b8f671896d2afc837b73f272eb0f9359f5899425b0cfa26d4df43e765
SHA51202155d2a4acde5643593951256949980a7f967a938ad9884b94f1de43b63ee8ceced5271168bfacdc6fc307601d1ff21c119b11041e5a20fef66ab42daefd81d