11a49e73950aa79c817fed5d9697a1dd54ec0a2a49d6912e242723d9362e93b1

Analysis

max time kernel
146s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/11/2024, 09:50

Target

Solara.Dir.zip
Size

8.1MB
MD5

3e43dcff99c57b4cb9d97e24e25db99d
SHA1

5faf0c31e64e5e4f12dbef19b691afe34ca3db91
SHA256

11a49e73950aa79c817fed5d9697a1dd54ec0a2a49d6912e242723d9362e93b1
SHA512

ffa859d0614a77fd2d77091e2454b1ede57b9754ac49e6dabde10274db089c51ccd9e6106258c6a462ed5250450c0cf0ba858f4466c7a559364018a949e2a901
SSDEEP

196608:ejClNpI6dq3CGRJaeDL6wNvTdspttcLcTBk1F/2:LIIq3CuMeD2yT+Ttyb2

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
3352	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4460	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Suspicious use of FindShellTrayWindow 3 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3352	1412	7zFM.exe	77
PID 1412 wrote to memory of 3352	1412	7zFM.exe	77
PID 1412 wrote to memory of 4460	1412	7zFM.exe	83
PID 1412 wrote to memory of 4460	1412	7zFM.exe	83

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Solara.Dir.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\7zO485ABE88\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO485ABE88\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\7zO485C6DF8\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO485C6DF8\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
  2⤵
  - Executes dropped EXE
  PID:4460

C:\Users\Admin\AppData\Local\Temp\7zO485ABE88\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
memory/3352-12-0x00007FFDD1B53000-0x00007FFDD1B55000-memory.dmp

Filesize
8KB

Download
memory/3352-13-0x000001FED9380000-0x000001FED939A000-memory.dmp

Filesize
104KB

Download
memory/3352-14-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

Filesize
10.8MB

Download
memory/3352-15-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

Filesize
10.8MB

Download