General
-
Target
Solar Lite Installer.exe
-
Size
1.3MB
-
Sample
241118-1j4tcswfnr
-
MD5
dd8c5c7c305665dcad8e5782c95f4a89
-
SHA1
11030215601ef6dd6c5576d9562fb5be2c2138b8
-
SHA256
007cfb9b07a76a2ad7280deb4cf9c88d1f7e7fcd59ba7c028bb47dd351e46498
-
SHA512
95c9dea6105d774f6e25a2384dbdbb511f654be054deceeb7f09ae5957afc6f234e2b4b3087f82b2d75c6501cda069eb736e54ed0e34ae2139393a18a05908f0
-
SSDEEP
24576:ewYsivZnt8U9GTQcPTAcySiDNpfVkqgfPyU8/oa8reuaD6UwYsivZnt8U9Y:ejzZnPC70nS4pfVkqgy6r3aGUjzZnP
Malware Config
Targets
-
-
Target
Solar Lite Installer.exe
-
Size
1.3MB
-
MD5
dd8c5c7c305665dcad8e5782c95f4a89
-
SHA1
11030215601ef6dd6c5576d9562fb5be2c2138b8
-
SHA256
007cfb9b07a76a2ad7280deb4cf9c88d1f7e7fcd59ba7c028bb47dd351e46498
-
SHA512
95c9dea6105d774f6e25a2384dbdbb511f654be054deceeb7f09ae5957afc6f234e2b4b3087f82b2d75c6501cda069eb736e54ed0e34ae2139393a18a05908f0
-
SSDEEP
24576:ewYsivZnt8U9GTQcPTAcySiDNpfVkqgfPyU8/oa8reuaD6UwYsivZnt8U9Y:ejzZnPC70nS4pfVkqgy6r3aGUjzZnP
Score9/10-
Looks for VirtualBox Guest Additions in registry
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key
-
Possible privilege escalation attempt
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Modifies file permissions
-
Modifies system executable filetype association
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops desktop.ini file(s)
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies boot configuration data using bcdedit
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
1Virtualization/Sandbox Evasion
2Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
6System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2