meduza | hxxps://bit[.]ly/47Lj1xR

Resubmissions

28/09/2024, 21:15

240928-z3t8lawgjq 3

28/09/2024, 17:35

240928-v6bs7szhnd 10

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
28/09/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/47Lj1xR

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
191
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2916-147-0x0000000140000000-0x000000014010F000-memory.dmp	family_meduza
behavioral1/memory/2916-149-0x0000000140000000-0x000000014010F000-memory.dmp	family_meduza

Meduza family
meduza

Loads dropped DLL 1 IoCs

pid	Process
376	Solara.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	api.ipify.org
66	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 2916	376	Solara.exe	119

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1496	cmd.exe
2300	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Solara_External\a.exe:extractor.dll	Solara.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2300	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1064	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
640	msedge.exe
640	msedge.exe
4936	identity_helper.exe
4936	identity_helper.exe
880	msedge.exe
880	msedge.exe
2916	Solara.exe
2916	Solara.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1064	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3916	AUDIODG.EXE
Token: 33	1064	vlc.exe
Token: SeIncBasePriorityPrivilege	1064	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe
1064	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2612	640	msedge.exe	85
PID 640 wrote to memory of 2612	640	msedge.exe	85
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2396	640	msedge.exe	86
PID 640 wrote to memory of 2344	640	msedge.exe	87
PID 640 wrote to memory of 2344	640	msedge.exe	87
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88
PID 640 wrote to memory of 4012	640	msedge.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/47Lj1xR
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd582646f8,0x7ffd58264708,0x7ffd58264718
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17854359995332338829,5282221440237494128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2400

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Temp1_Solara_External.zip\Background.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\Downloads\Solara_External\Solara.exe
"C:\Users\Admin\Downloads\Solara_External\Solara.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:376
- C:\Users\Admin\Downloads\Solara_External\Solara.exe
  "C:\Users\Admin\Downloads\Solara_External\Solara.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Solara_External\Solara.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1496
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
eff9af230bb15bb9559354997280664f

SHA1
3c9988f659b6ac0be9f522496ff893166c1a5d7b

SHA256
6aeca86beabc0756536f7c2de292c6786fa8a62a5e06232afce9c974dd4531bf

SHA512
b19f8720129addddcb87b174c89af88cf44ecd9f2ff32edd4167275c7e931d75e0e3dda6407604dde006d2710d8c8b23bcebecd3d7828a462d0c63c6a5fb52c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f02c927be3b43c3536bdc450d82e6958

SHA1
4e281f89a4e072f9a7fee727283bb71e3697a9e5

SHA256
2418d33a5ed72f673d3d335e3d93075bd3921a57a90c8854f255e356fcd1fef5

SHA512
771de89ee372ffabb4bd0b87b35117a3ba68dc50b6f72ac3dae8b14a8eb53476f05d9b90bb39e5eff201a03039814d9104b9649fcb228582eb8e31492f30b99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
9adcf42fc2c5635fc5ab74f6f48cb06e

SHA1
52d5366a822d1041c64fc599c5a37dbc45bce000

SHA256
f8bed4d039cb4c6028761067825faa8a07603b18d41525b7e636172944c4bd8b

SHA512
f7f3d87f8c8a96584f6b34c0e3546dff81d6b2e4ed5ca9be800d0ebffd4473e8bed0ed4ca03ffe0f8a3d9c2f2a6cfdf9ede00fe9f92647521bcd996a90183887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
450B

MD5
9b0e2633dee5a67d02429f7dcb87ffe6

SHA1
ccad36810f183dbf79fce621b0cbac01813e36be

SHA256
2c1373d4b8f0c548514acf3e7ddf71e18b961e02e5935c486c849862f4e531f0

SHA512
1a97dfd3561a2b912d05658f5e05fb3623b1cd4deb701723a442239962ead6378877476ea6ab72c928fae567932434c30d8e3e2831901dad323c3321c98c9867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19a3f7facd458f1e31e7535ce74c5e46

SHA1
b1897b3ca47651878504ca83b78415589da2835a

SHA256
0096b6568c73103b860fdd63ca1e11c9ebe245daebedf2d35943d8da8b043686

SHA512
e3c2178cd4b86421dc743b9c7f741bb0c1b9af2d4c7dd2f64e7a3a09438dd1734601062b6bf2312d0761586aa4a55358bd6724c58fbb80bec66f5a0c1dcce023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31cfcf2cb2087eb3b594cd63b376508e

SHA1
240fea4936376e0ed3165bc1765855bcc89217aa

SHA256
a43e0e7e0980a5aafdac51999255971a3a6d3d7eddac56dd62f391177c8367d2

SHA512
9bf9b4dae299ba1ad4d743ec1a7905ab75fed3e3d97963fd6952a5c975df3e61c0b6719b5af56ac2e8190682ffd00a44475568572df39c49d51187ab57caca0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0596f58cea2bfbaeb239747843351242

SHA1
d59182e630d6932ae47943aec10f143510a16ac8

SHA256
a5c9395eeb28db3d37f32385bf62d8509d3a9bd0546d8061cec1be9ec746dc5c

SHA512
2d23513fcbdc571c219e1bf3bbb82fe639859364cb6c9a124c8b8bac76b70d6269e1866fcf2a43c11f2cdeb6134dc94185e79c8f80bcfa65b76aeee33f2f2558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ef45be8d8f9005abdec6e2ff08166dc

SHA1
314396f82525c55e1602c2871a737fbcc4b036d4

SHA256
588259b2d2a8d2fa63ada8816f92389a6c3e8a53601b4dbb8d5fa179739e0c64

SHA512
4578b776b20bdde3d05b6333bf0b5737663135813e3c583d6b60cff00480ffe93a3fece0eafb44e2994102bcb89988a0da9f804a6526dc9b5b26909edb00c07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6724000833098639c3c1148f560a39e

SHA1
4f62656e91ac72edd507687a4f1b98eef74ad0ba

SHA256
f92505076862a18043992172b2814efb645cd9dd03d0abe75913faf1db5bd19d

SHA512
23923c2120d7865e2f706e89dc051abc6ea4f7754514f8a244e84af17e5cdf15604380e55826e5d3eb0791658a04efe4f7b443e5f8ca67710971bb3ab8d37c63

Download Submit
C:\Users\Admin\Downloads\Solara_External.zip

Filesize
22.2MB

MD5
c534aec53cf9fbafc91115d37ed4e351

SHA1
6242ca209e75e1d913edd6d272803ac17cfa07fc

SHA256
ace63e6e96d12c443dea56a960c921a4e83de3cf90314339f43d4967d7f56c82

SHA512
a58dbe893171fbcfa90739d88e7ec105752d7abee1ca893c8442951279d46f0bd55d04bc7ad847f8d571305ebdcbabf67def173b68bf83628281b0c1bd3d7e29

Download Submit
C:\Users\Admin\Downloads\Solara_External\a.exe:extractor.dll

Filesize
1.2MB

MD5
bc030b47e6cbd4aaa475de5c011614fe

SHA1
9d23e2fbce3c21c23b9e21ad293db07bdefe5925

SHA256
ef0ff2ce59171d32f0f5aafaf01b31c9329c5cf23ca5e6949b1be56bb77248b2

SHA512
dfe3ca1b47952d0e7ba792b66d441ed06f2907608f9ff603c5efdc36b788d42883e453a44e4442a9eaab4974c5c2370d18db3bcab678398e03fd66198c996fe1

Download Submit
memory/376-151-0x00007FFD3D960000-0x00007FFD3DA97000-memory.dmp

Filesize
1.2MB

Download
memory/376-150-0x00007FF6FF7C0000-0x00007FF6FF941000-memory.dmp

Filesize
1.5MB

Download
memory/1064-97-0x00007FFD583E0000-0x00007FFD583F8000-memory.dmp

Filesize
96KB

Download
memory/1064-127-0x00007FFD44340000-0x00007FFD453F0000-memory.dmp

Filesize
16.7MB

Download
memory/1064-98-0x00007FFD57C60000-0x00007FFD57C77000-memory.dmp

Filesize
92KB

Download
memory/1064-100-0x00007FFD47B10000-0x00007FFD47B27000-memory.dmp

Filesize
92KB

Download
memory/1064-111-0x00007FFD44290000-0x00007FFD442A1000-memory.dmp

Filesize
68KB

Download
memory/1064-112-0x0000021747460000-0x00000217475E0000-memory.dmp

Filesize
1.5MB

Download
memory/1064-110-0x00007FFD442B0000-0x00007FFD442C1000-memory.dmp

Filesize
68KB

Download
memory/1064-109-0x00007FFD442D0000-0x00007FFD442E1000-memory.dmp

Filesize
68KB

Download
memory/1064-108-0x00007FFD442F0000-0x00007FFD44308000-memory.dmp

Filesize
96KB

Download
memory/1064-106-0x00007FFD44340000-0x00007FFD453F0000-memory.dmp

Filesize
16.7MB

Download
memory/1064-107-0x00007FFD44310000-0x00007FFD44331000-memory.dmp

Filesize
132KB

Download
memory/1064-99-0x00007FFD57BE0000-0x00007FFD57BF1000-memory.dmp

Filesize
68KB

Download
memory/1064-96-0x00007FFD45690000-0x00007FFD45946000-memory.dmp

Filesize
2.7MB

Download
memory/1064-95-0x00007FFD574A0000-0x00007FFD574D4000-memory.dmp

Filesize
208KB

Download
memory/1064-101-0x00007FFD47AF0000-0x00007FFD47B01000-memory.dmp

Filesize
68KB

Download
memory/1064-103-0x00007FFD45650000-0x00007FFD45661000-memory.dmp

Filesize
68KB

Download
memory/1064-94-0x00007FF7D1F70000-0x00007FF7D2068000-memory.dmp

Filesize
992KB

Download
memory/1064-157-0x00007FFD45690000-0x00007FFD45946000-memory.dmp

Filesize
2.7MB

Download
memory/1064-105-0x00007FFD453F0000-0x00007FFD45431000-memory.dmp

Filesize
260KB

Download
memory/1064-104-0x00007FFD45440000-0x00007FFD4564B000-memory.dmp

Filesize
2.0MB

Download
memory/1064-102-0x00007FFD45670000-0x00007FFD4568D000-memory.dmp

Filesize
116KB

Download
memory/2916-149-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/2916-147-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download