Overview

overview

7

Static

static

3

Solara_Ins....2.exe

windows10-2004-x64

7

Solara_Ins....2.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    58s
  • max time network
    61s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara_Installer 3.0.2.exe

  • Size

    2.2MB

  • MD5

    3ef90d8e258f1e3e40b558fa87764101

  • SHA1

    5555481a8c837753128649c1d835535f9dbc8f7c

  • SHA256

    9c246bce209eee1686034f9962409649b24e23cb8f2333921d39754837696e32

  • SHA512

    3de19f5571338fcae969f2293fa1e765818606a1a482665e61fc47d3a3c9d070425c8d0e4c2842b35ee07047ab9bd719af3dbb6c3e2e6eb831e81be45c45f4f7

  • SSDEEP

    49152:qBIwwRDNu+mprsU0EgxcYHK2SvjdfU6eNw12:MI7RD8rVqxSJUS2

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara_Installer 3.0.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Installer 3.0.2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chaincomcomponentWebnet\bOvPOrGmJPec6UrXZRztyu7YTQPUCiKxIf3e5b4BnYUqm3ScLNK7TMGQrp.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chaincomcomponentWebnet\999la2GqZfSTZJJDdad0QHO5S.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\chaincomcomponentWebnet\componentwebperfNet.exe
          "C:\chaincomcomponentWebnet/componentwebperfNet.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\74C7el6NZq.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:3484
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1072
                • C:\Users\Default\Links\dllhost.exe
                  "C:\Users\Default\Links\dllhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\74C7el6NZq.bat
        Filesize

        210B

        MD5

        8200ae335c00c4c9efae3a260ed0e360

        SHA1

        b76f9674bb2835b160323eb9fa4e6856dea331c2

        SHA256

        be19aa5fd9120781feb13a4e50f44cde77f22d65a23d16b2146dcac923d77de3

        SHA512

        09388bfd9e2a678a9d0816422a746e9fcd45103f08f385b3c005b9a9c42101397e4b6926e9763f0762e906fcadc752b2c36dd4389d63d7ebcd98991be0f6b055

        Download Submit

      • C:\chaincomcomponentWebnet\999la2GqZfSTZJJDdad0QHO5S.bat
        Filesize

        108B

        MD5

        89e9b28529b571367341f37ac9120eb2

        SHA1

        4446864199832960c2d5af07af3d40f96005d545

        SHA256

        7a85d7e005d3b953942dc2d939692f45d47c89d5ff796d6d216648837b8d009f

        SHA512

        8837e981c8a0d645f2bf3e84db55685206f07b05f1c24a6c2ea2d90b4cdfae9812a7cd0688fad4e7fcd45b601518349786f377106e587461bfd8b977640aa315

        Download Submit

      • C:\chaincomcomponentWebnet\bOvPOrGmJPec6UrXZRztyu7YTQPUCiKxIf3e5b4BnYUqm3ScLNK7TMGQrp.vbe
        Filesize

        227B

        MD5

        104dfb66c4b9c25964a2631e9d1b35de

        SHA1

        e0dc6ad69fb81b4cc91cdd3759ff7317125bdb2a

        SHA256

        5a98f7abdd86b05f01cc8f2e68dcadf75e3e9567f9874af6924337c4da1f7fa1

        SHA512

        80f4fe2d0bd8f7a2400ce48b7cfc19facec0b020a26937a52f749ebdf4651a4874c16f9346cffe2de9eda6977ad79814e2403612090ee4d18785cf77a790f7af

        Download Submit

      • C:\chaincomcomponentWebnet\componentwebperfNet.exe
        Filesize

        1.8MB

        MD5

        571408be1474de5462575eaa6f5b3b0d

        SHA1

        ac89a73893785f3d57855920b660995dadd8778a

        SHA256

        572ee587ef7a955c2ab979f22b6e6d6ca40668bce9ba7d32e68fc3788c9984ce

        SHA512

        04203e600b61e2314c11f45322d91130034a34b13c83dd1c6ff522e095515e353be4647ed2b865d0a684908b543eb314754e7259bc2ab06b1fe070c3566cbd8b

        Download Submit

      • memory/864-12-0x00007FF953D93000-0x00007FF953D95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/864-13-0x0000000000110000-0x00000000002EA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/864-15-0x0000000000A30000-0x0000000000A3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/864-22-0x0000000002430000-0x000000000243C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/864-20-0x00000000024D0000-0x00000000024E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/864-18-0x000000001AF10000-0x000000001AF60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/864-17-0x00000000024B0000-0x00000000024CC000-memory.dmp

        Filesize

        112KB

        Download