Analysis
-
max time kernel
75s -
max time network
76s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-10-2024 10:45
Static task
static1
General
-
Target
SolaraFixer.7z
-
Size
70KB
-
MD5
b77e6245add9f2cb38fb2bf2a310e83c
-
SHA1
223c9b6e76776310a1e74e398060342263eb46ea
-
SHA256
d1c9cf26181befbb8e3c53ea3b2aac37afd12d06ff9e53d42438c67a79b134c4
-
SHA512
2e9d6545f06ef6014f6f640db3fb9bbd5d698afdec45399774fe0cd8410bd51f60961c0b04b1393975d3e08fa62de1ba2bf3de226b9724dce27dc1418b88877d
-
SSDEEP
1536:uRChivU97J63OL+V+8GFJj+ODdCxI1Tu7HU7rXYvePzYQ:uIis97IESHKyI1TsHUNbYQ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1299461719801991309/vrYuMDjs_n5vFmzGOfz4kp_hTyDr2VE1-rjZ8OaF0rcFRYvfnqe3C0qr56jzGH43IeT7
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x001d00000002aa81-3.dat family_umbral behavioral1/memory/3256-5-0x000001BAF12C0000-0x000001BAF1300000-memory.dmp family_umbral -
Umbral family
-
Executes dropped EXE 3 IoCs
pid Process 3256 SolaraFixer.exe 560 SolaraFixer.exe 2896 SolaraFixer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3012 7zFM.exe Token: 35 3012 7zFM.exe Token: SeSecurityPrivilege 3012 7zFM.exe Token: SeSecurityPrivilege 3012 7zFM.exe Token: SeDebugPrivilege 3256 SolaraFixer.exe Token: SeIncreaseQuotaPrivilege 2220 wmic.exe Token: SeSecurityPrivilege 2220 wmic.exe Token: SeTakeOwnershipPrivilege 2220 wmic.exe Token: SeLoadDriverPrivilege 2220 wmic.exe Token: SeSystemProfilePrivilege 2220 wmic.exe Token: SeSystemtimePrivilege 2220 wmic.exe Token: SeProfSingleProcessPrivilege 2220 wmic.exe Token: SeIncBasePriorityPrivilege 2220 wmic.exe Token: SeCreatePagefilePrivilege 2220 wmic.exe Token: SeBackupPrivilege 2220 wmic.exe Token: SeRestorePrivilege 2220 wmic.exe Token: SeShutdownPrivilege 2220 wmic.exe Token: SeDebugPrivilege 2220 wmic.exe Token: SeSystemEnvironmentPrivilege 2220 wmic.exe Token: SeRemoteShutdownPrivilege 2220 wmic.exe Token: SeUndockPrivilege 2220 wmic.exe Token: SeManageVolumePrivilege 2220 wmic.exe Token: 33 2220 wmic.exe Token: 34 2220 wmic.exe Token: 35 2220 wmic.exe Token: 36 2220 wmic.exe Token: SeIncreaseQuotaPrivilege 2220 wmic.exe Token: SeSecurityPrivilege 2220 wmic.exe Token: SeTakeOwnershipPrivilege 2220 wmic.exe Token: SeLoadDriverPrivilege 2220 wmic.exe Token: SeSystemProfilePrivilege 2220 wmic.exe Token: SeSystemtimePrivilege 2220 wmic.exe Token: SeProfSingleProcessPrivilege 2220 wmic.exe Token: SeIncBasePriorityPrivilege 2220 wmic.exe Token: SeCreatePagefilePrivilege 2220 wmic.exe Token: SeBackupPrivilege 2220 wmic.exe Token: SeRestorePrivilege 2220 wmic.exe Token: SeShutdownPrivilege 2220 wmic.exe Token: SeDebugPrivilege 2220 wmic.exe Token: SeSystemEnvironmentPrivilege 2220 wmic.exe Token: SeRemoteShutdownPrivilege 2220 wmic.exe Token: SeUndockPrivilege 2220 wmic.exe Token: SeManageVolumePrivilege 2220 wmic.exe Token: 33 2220 wmic.exe Token: 34 2220 wmic.exe Token: 35 2220 wmic.exe Token: 36 2220 wmic.exe Token: SeBackupPrivilege 4432 svchost.exe Token: SeRestorePrivilege 4432 svchost.exe Token: SeSecurityPrivilege 4432 svchost.exe Token: SeTakeOwnershipPrivilege 4432 svchost.exe Token: 35 4432 svchost.exe Token: SeDebugPrivilege 560 SolaraFixer.exe Token: SeIncreaseQuotaPrivilege 3612 wmic.exe Token: SeSecurityPrivilege 3612 wmic.exe Token: SeTakeOwnershipPrivilege 3612 wmic.exe Token: SeLoadDriverPrivilege 3612 wmic.exe Token: SeSystemProfilePrivilege 3612 wmic.exe Token: SeSystemtimePrivilege 3612 wmic.exe Token: SeProfSingleProcessPrivilege 3612 wmic.exe Token: SeIncBasePriorityPrivilege 3612 wmic.exe Token: SeCreatePagefilePrivilege 3612 wmic.exe Token: SeBackupPrivilege 3612 wmic.exe Token: SeRestorePrivilege 3612 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3012 7zFM.exe 3012 7zFM.exe 3012 7zFM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3256 wrote to memory of 2220 3256 SolaraFixer.exe 84 PID 3256 wrote to memory of 2220 3256 SolaraFixer.exe 84 PID 560 wrote to memory of 3612 560 SolaraFixer.exe 89 PID 560 wrote to memory of 3612 560 SolaraFixer.exe 89 PID 2896 wrote to memory of 2652 2896 SolaraFixer.exe 92 PID 2896 wrote to memory of 2652 2896 SolaraFixer.exe 92
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SolaraFixer.7z"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012
-
C:\Users\Admin\Desktop\SolaraFixer.exe"C:\Users\Admin\Desktop\SolaraFixer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Users\Admin\Desktop\SolaraFixer.exe"C:\Users\Admin\Desktop\SolaraFixer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Users\Admin\Desktop\SolaraFixer.exe"C:\Users\Admin\Desktop\SolaraFixer.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2652
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD502df789e3c730b309fc4d9abce5d729b
SHA14f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e
SHA2564afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321
SHA5127ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587
-
Filesize
231KB
MD58bef46b57ddddec3d0d140f6f8d4b68e
SHA1549b51f7d1106f186de8d3594d55dcac22a6f8fc
SHA256360d3cef3d330c1930e318277939ab1c7db6c969f23be5d385b93f5faef3b4d2
SHA5125e9442c00355f5aea64b787658e7b390e5f53d1709bb4ce951db3e363b91fde46cd70d2262ddd9d06c1e21a72a2728821065d87c213ce86020a620ba468458f7