aefc3487d439bd87a9de7e5b25d18ab8839096fa6b08e9192c563c6ec0550292

Resubmissions

14-11-2024 18:47

241114-xfbfvs1mdy 10

14-11-2024 18:43

241114-xcy3rasaqm 10

Analysis

max time kernel
24s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

8.5MB
MD5

e2bc46d7bc521a528f31102b4c79327c
SHA1

66a7f9eda5b1a4be4cd8df18658fd6d0e885b8a6
SHA256

aefc3487d439bd87a9de7e5b25d18ab8839096fa6b08e9192c563c6ec0550292
SHA512

080aed5274e3eddd5bc5f8d2b859af20bb281a17d717c418e2f3bb915a5a6f0de1345d56c4cc931a7dd533f8c4cf167c476c73c5228ca3a1ab53ceef424c47ad
SSDEEP

196608:pFHYkDwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jo:BwIHziK1piXLGVE4Ue0VJE

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
652	Built.exe
2312	Built.exe
2316	BootstrapperV1.23.exe
1188	Process not Found

Loads dropped DLL 11 IoCs

pid	Process
2328	Solara.exe
652	Built.exe
2312	Built.exe
2328	Solara.exe
2508	Process not Found
1188	Process not Found
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019761-30.dat	upx
behavioral1/memory/2312-37-0x000007FEF6A60000-0x000007FEF70C3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2728	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: SeDebugPrivilege	2316	BootstrapperV1.23.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 652	2328	Solara.exe	29
PID 2328 wrote to memory of 652	2328	Solara.exe	29
PID 2328 wrote to memory of 652	2328	Solara.exe	29
PID 2328 wrote to memory of 652	2328	Solara.exe	29
PID 652 wrote to memory of 2312	652	Built.exe	30
PID 652 wrote to memory of 2312	652	Built.exe	30
PID 652 wrote to memory of 2312	652	Built.exe	30
PID 2328 wrote to memory of 2316	2328	Solara.exe	31
PID 2328 wrote to memory of 2316	2328	Solara.exe	31
PID 2328 wrote to memory of 2316	2328	Solara.exe	31
PID 2328 wrote to memory of 2316	2328	Solara.exe	31
PID 2316 wrote to memory of 2840	2316	BootstrapperV1.23.exe	33
PID 2316 wrote to memory of 2840	2316	BootstrapperV1.23.exe	33
PID 2316 wrote to memory of 2840	2316	BootstrapperV1.23.exe	33
PID 2840 wrote to memory of 2728	2840	cmd.exe	35
PID 2840 wrote to memory of 2728	2840	cmd.exe	35
PID 2840 wrote to memory of 2728	2840	cmd.exe	35
PID 2316 wrote to memory of 2848	2316	BootstrapperV1.23.exe	36
PID 2316 wrote to memory of 2848	2316	BootstrapperV1.23.exe	36
PID 2316 wrote to memory of 2848	2316	BootstrapperV1.23.exe	36
PID 2848 wrote to memory of 2460	2848	cmd.exe	38
PID 2848 wrote to memory of 2460	2848	cmd.exe	38
PID 2848 wrote to memory of 2460	2848	cmd.exe	38
PID 2316 wrote to memory of 840	2316	BootstrapperV1.23.exe	40
PID 2316 wrote to memory of 840	2316	BootstrapperV1.23.exe	40
PID 2316 wrote to memory of 840	2316	BootstrapperV1.23.exe	40

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2728
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2460
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2316 -s 1152
    3⤵
    - Loads dropped DLL
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.6MB

MD5
5afe94b20789846812239fd3a89ba4f7

SHA1
c952509f94055cd86808dd406dbffb1dfa9ef303

SHA256
67372e612a50b9b067e3a8ed2bc270aa094ce48c3132852a04b22f17adbea15c

SHA512
64744cdf7e1200eb5caa6609fe501d9b3f474db26d1a462116d95427f0e3d690dec2eda7ba7789ce52051b10fb852420e7fcdb9c8ab9a1d7510bc1c969273dcb

Download Submit
memory/2312-37-0x000007FEF6A60000-0x000007FEF70C3000-memory.dmp

Filesize
6.4MB

Download
memory/2316-40-0x0000000000A10000-0x0000000000ADE000-memory.dmp

Filesize
824KB

Download
memory/2328-36-0x0000000000400000-0x0000000000C8C000-memory.dmp

Filesize
8.5MB

Download