Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 20:04
Behavioral task
behavioral1
Sample
solara.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
solara.exe
Resource
win10v2004-20241007-en
General
-
Target
solara.exe
-
Size
41KB
-
MD5
15a9c1e88def62ed4698653817dd49f3
-
SHA1
4dcd814644624487523e4d9f05cfa7b44cc6a003
-
SHA256
2442056a304a0c3f67a04a64a51e15b49cc056553f2b46efc74d412da334b8fa
-
SHA512
e243b9ff72783dbbddaf699a5099afa5bfe9d99260845e825e1742e9a4405a123ca278b71cc365b865daa0915d9bde2b46c7b9440feb325ea6d94f8b2c8f70e3
-
SSDEEP
768:jscaIiIqfT6ahzpDXswIuZkeMWTjNKZKfgm3EhkZ:4c1ofnhz8eMWTpF7EKZ
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1295103465751707828/Yi_BycNwaAuY9ggq6DYhG24Q1YQvFqUxF9LIwLGQqWVDfExKkVmWAtBgQq45qV5zVSOq
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions solara.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools solara.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion solara.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum solara.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 solara.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S solara.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString solara.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 solara.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer solara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName solara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 solara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation solara.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2420 solara.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2880 2420 solara.exe 33 PID 2420 wrote to memory of 2880 2420 solara.exe 33 PID 2420 wrote to memory of 2880 2420 solara.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2420 -s 13282⤵PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1