Overview

overview

10

Static

static

3

Solara_External.zip

windows7-x64

1

Solara_External.zip

windows10-2004-x64

1

CefSharp.B...re.dll

windows7-x64

3

CefSharp.B...re.dll

windows10-2004-x64

3

CefSharp.Core.dll

windows7-x64

1

CefSharp.Core.dll

windows10-2004-x64

1

CefSharp.Wpf.dll

windows7-x64

1

CefSharp.Wpf.dll

windows10-2004-x64

1

Solara.exe

windows7-x64

1

Solara.exe

windows10-2004-x64

10

bin/lz4.dll

windows7-x64

1

bin/lz4.dll

windows10-2004-x64

1

bin/wolfssl.dll

windows7-x64

1

bin/wolfssl.dll

windows10-2004-x64

1

bin/xxhash.dll

windows7-x64

1

bin/xxhash.dll

windows10-2004-x64

1

bin/zlib1.dll

windows7-x64

1

bin/zlib1.dll

windows10-2004-x64

1

bin/zstd.dll

windows7-x64

1

bin/zstd.dll

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

3

libEGL.dll

windows10-2004-x64

3

libGLESv2.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    2.4MB

  • MD5

    0deb8032eee2cfe15754044442b5bc28

  • SHA1

    825e16d17ac482389804ff5f5f2165315411ab22

  • SHA256

    80c7757f87925a24bc0e4225a753c2f3e3ce40ffc2c9d46f48581dab95a95f7c

  • SHA512

    1abd0199a8cf036e5a122a860b067c3b2acdee4dc38c694a61c5b117d6de8ee775160e15ef0a8460a9fc8abc9e09b3ec1a9522aa26c4b8c92276dbbed22a2610

  • SSDEEP

    49152:Mm3c8RgY8M2lBfNGy8Tt5nVzZTM3pyTsFmrLHch+HFNWSOxv5SOYb1QYH:V5y8Tt5rHsAbcg9Oxv5nS

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:228
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4508
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta7ecba66hfc21h4fd9haae7h244c994541b2
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff526146f8,0x7fff52614708,0x7fff52614718
        2⤵
          PID:116
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11432737421384133368,14425277187675009682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
          2⤵
            PID:3976
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11432737421384133368,14425277187675009682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3800
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11432737421384133368,14425277187675009682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
            2⤵
              PID:4448
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:3120
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2356
              • C:\Windows\SysWOW64\DllHost.exe
                C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                1⤵
                • System Location Discovery: System Language Discovery
                PID:4980
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault21b6d6abh0b5fh405fh8d57hd6866ef0116b
                1⤵
                  PID:5060
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff526146f8,0x7fff52614708,0x7fff52614718
                    2⤵
                      PID:1056
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,13901270612609538598,10126786090831874477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
                      2⤵
                        PID:1888
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,13901270612609538598,10126786090831874477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1608
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,13901270612609538598,10126786090831874477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
                        2⤵
                          PID:4912
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3616
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          PID:3140
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4436

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            b9569e123772ae290f9bac07e0d31748

                            SHA1

                            5806ed9b301d4178a959b26d7b7ccf2c0abc6741

                            SHA256

                            20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

                            SHA512

                            cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            eeaa8087eba2f63f31e599f6a7b46ef4

                            SHA1

                            f639519deee0766a39cfe258d2ac48e3a9d5ac03

                            SHA256

                            50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

                            SHA512

                            eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
                            Filesize

                            331B

                            MD5

                            355263c64ba0b0fee759ce373d425845

                            SHA1

                            f2a0ef98e86e4a3ae2392a23c421e52e7f04de52

                            SHA256

                            6b921922f45eaf27bfc71e298e857694621434988f0eeb1256678a33720f8d21

                            SHA512

                            a2d04fa03fde0aabac90d875b26bc5842cee601d48d782881f14724938544c384ce90d3d6e6b7010dc3d912b4bf241ef591b8408cc668555e67d84f578e6d9da

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            61B

                            MD5

                            4df4574bfbb7e0b0bc56c2c9b12b6c47

                            SHA1

                            81efcbd3e3da8221444a21f45305af6fa4b71907

                            SHA256

                            e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

                            SHA512

                            78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            3a4e3e21c4bc78f0bc6b6dff252e8fa1

                            SHA1

                            f435e037fba11fa87c8edc3b9094a3c1d913a410

                            SHA256

                            ee84bff2650c7b685cc4a3627d2b3d98fe939cf4c59d416537850e6b2d2457e0

                            SHA512

                            4843ada6b88de593ce67583af89ed8af07c4c6b3d893c7c2507b3b768b2304054c057b4b3882556f4e15bb65130d8f4d2b7fe615ac6663c94589fb5bd474e4bc

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
                            Filesize

                            347B

                            MD5

                            0ed44a9af333bc098a9851e6aeacd1f5

                            SHA1

                            ee857e0416b9230c8ea3a65f482b7759c02fe29a

                            SHA256

                            93b642ce4d27f1cfed3c4308b0a7ec61964bdfdc546281836d599fa84f315f59

                            SHA512

                            77aa801229d8661da6dd4902a4fea1517e211cd47941fb0b85497bcd622def10219b1cdc193ad9e145ff8c3ce9ef276a36e77e57fb3d105e67f2793ecb3a35d8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
                            Filesize

                            326B

                            MD5

                            c7ccdcc28313b6fa5f5519ab58022e06

                            SHA1

                            2f34f0c6d22e167afb562fd44bdee32fec079495

                            SHA256

                            41524bb874812a024fe0fab6f3c7f6bdfc0a2d82bb0760b3461185545babbfac

                            SHA512

                            2944016adf8684941e35dc86ba2a6d591d2c42ef54a293fa5d9b9ba6d8548289604aba469866187b4d276e990a1293acaf0ed1e71d74faac2c087ef3d0c99c21

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
                            Filesize

                            11B

                            MD5

                            838a7b32aefb618130392bc7d006aa2e

                            SHA1

                            5159e0f18c9e68f0e75e2239875aa994847b8290

                            SHA256

                            ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

                            SHA512

                            9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            8KB

                            MD5

                            7d44964de1b66f6fb2c2ac272199f344

                            SHA1

                            4b327566a0797e7d112c08e0b171fa87077e8068

                            SHA256

                            c5e116fc5e438310f61cb167b08c026671e0bdd7139a43a71eb833de9ce7ad4f

                            SHA512

                            3797ffc3a03694449c18fdb660dbaf122209f1d4446a594009aec13d5882ab3e3adeca163611f252158b34bcee3f03af566bb499fd1a0f526d7ea5a201ef2427

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                            Filesize

                            264KB

                            MD5

                            f50f89a0a91564d0b8a211f8921aa7de

                            SHA1

                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                            SHA256

                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                            SHA512

                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\a.dll
                            Filesize

                            1.2MB

                            MD5

                            f25cb5d21b3143c2ea190045419fabca

                            SHA1

                            67c821b32d522bc72162f943be98722c304a8f4c

                            SHA256

                            31e1c5eaf116adaf228a6d82d5213cdffe274fb961d5a84ca088d151183191ed

                            SHA512

                            999c2dc5067c48478e7c8703ae7e26c52e5e08d136071f422c1f3e597d91e1716d9caa0236af63d46a73c8a238a605cdf4da2357abb12fa741df6305110191de

                            Download Submit

                          • memory/228-17-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/228-16-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/228-5-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/228-7-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/228-6-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/228-3-0x0000000140000000-0x000000014010F000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1876-9-0x00007FFF63420000-0x00007FFF63557000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/1876-8-0x00007FF651FB0000-0x00007FF652226000-memory.dmp

                            Filesize

                            2.5MB

                            Download