Overview

overview

10

Static

static

1

Solara.exe

windows7-x64

10

Solara.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    7.3MB

  • MD5

    a46c3372dbfc0e3f4a97db227e07b131

  • SHA1

    247d84b02e289747b965af37b1d331f47633b1ca

  • SHA256

    767b5beda00bc75c954a9be8726b2f76a300e49f428eb64cbc362366bd2528a2

  • SHA512

    17b1068602a2ddffa93fcfd174fc63400853fc5b83305c55c0075f02463214cf82e12bfb6424bee897c0bd6a20561fb1ca95b190cf4fd1f7c6761e06d8b573cb

  • SSDEEP

    98304:zwREXBlkqxKUUhU5/UV2QU61X/8LyyTUspbP34igWLqmfoRp:JXBlkqgUIgQU6ReDoi7eRp

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://conscienyb.cyou

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Local\Temp\is-D72TQ.tmp\Solara.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D72TQ.tmp\Solara.tmp" /SL5="$60238,2765305,794112,C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Local\Temp\Solara.exe
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Users\Admin\AppData\Local\Temp\is-PSF5Q.tmp\Solara.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-PSF5Q.tmp\Solara.tmp" /SL5="$701BA,2765305,794112,C:\Users\Admin\AppData\Local\Temp\Solara.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3212
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2516
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:4240
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3276
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1204
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:1920
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2192
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3264
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:936
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2912
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:832
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:1236
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1268
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2572
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:4124
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4228
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2408
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:980
                      • C:\Users\Admin\AppData\Local\CheckMAL\Updater.exe
                        "C:\Users\Admin\AppData\Local\CheckMAL\\Updater.exe" "C:\Users\Admin\AppData\Local\CheckMAL\\fluoborate.csv"
                        5⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2752
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\h5KKgGZj.a3x && del C:\ProgramData\\h5KKgGZj.a3x
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2144
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 5 127.0.0.1
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:4540
                          • C:\Users\Admin\AppData\Local\CheckMAL\Updater.exe
                            updater.exe C:\ProgramData\\h5KKgGZj.a3x
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious use of WriteProcessMemory
                            PID:3480
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              8⤵
                                PID:2696
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                8⤵
                                • System Location Discovery: System Language Discovery
                                PID:2392

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\CheckMAL\Updater.exe
                  Filesize

                  921KB

                  MD5

                  3f58a517f1f4796225137e7659ad2adb

                  SHA1

                  e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                  SHA256

                  1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                  SHA512

                  acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                  Download Submit

                • C:\Users\Admin\AppData\Local\CheckMAL\fluoborate.csv
                  Filesize

                  58KB

                  MD5

                  282d690a4fef62e4388c9e5e55144f3d

                  SHA1

                  0b463607d47ea7351a11e356f1f60ea8a48090ec

                  SHA256

                  9de34ff67869d1ecfbf1f90ff7f008d9b44b2fd4d2e584973adb713b944df74a

                  SHA512

                  db8cc4776999ee6e61fc9c2173d3001a850bd45fa7ef08f818528c532f366fbf40c4a7b33e87bfb1359e14826dd3cc7a94836c0d6ae8eaa3bdd8bb0b95006168

                  Download Submit

                • C:\Users\Admin\AppData\Local\CheckMAL\fluoborate.xlm
                  Filesize

                  498KB

                  MD5

                  cbc85c76b54762eb69e222d4d9118da3

                  SHA1

                  f8d5a96ade427809e0854ff2eb27f91888d2147d

                  SHA256

                  5e5e67d14fdaf518fa0d47cfde640b6197589cfa49c41d77ab3d44662da477c6

                  SHA512

                  87f22bc383916fe14d0b045afc3dbfdbe4e4f16edff16e185406f73e3913df4594585acd5acd8710d27a0b69b0971bbc9f787e28e0f6ca06d95d9e8230cfda50

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-D72TQ.tmp\Solara.tmp
                  Filesize

                  3.1MB

                  MD5

                  75c16b724c278fbca344494bae7183ca

                  SHA1

                  5acb3173196c759c47bf99dcaad83216408614a4

                  SHA256

                  de66a86b95fc08742d64ce0a8cf288bf55c99161c76e7cd29cd1230c43deb20b

                  SHA512

                  138b6566d16ac0f96d3fc0d59a27477c16ab6fdf634b5e3dcecc2747ea2529aa06a96a61dee7f99d3f177e7f6f94d136508d8ca4fdf5f0178c7d63a8a05efc17

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-MQGN4.tmp\_isetup\_isdecmp.dll
                  Filesize

                  28KB

                  MD5

                  077cb4461a2767383b317eb0c50f5f13

                  SHA1

                  584e64f1d162398b7f377ce55a6b5740379c4282

                  SHA256

                  8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

                  SHA512

                  b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

                  Download Submit

                • memory/956-16-0x00000000009A0000-0x0000000000CCF000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/956-6-0x00000000009A0000-0x0000000000CCF000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/1060-24-0x0000000001230000-0x0000000001231000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1060-62-0x0000000000D30000-0x000000000105F000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/2392-72-0x0000000000400000-0x000000000045E000-memory.dmp

                  Filesize

                  376KB

                  Download

                • memory/2392-73-0x0000000000400000-0x000000000045E000-memory.dmp

                  Filesize

                  376KB

                  Download

                • memory/4832-20-0x00000000009D0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  832KB

                  Download

                • memory/4832-0-0x00000000009D0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  832KB

                  Download

                • memory/4832-2-0x00000000009D1000-0x0000000000A79000-memory.dmp

                  Filesize

                  672KB

                  Download

                • memory/5044-17-0x00000000009D0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  832KB

                  Download

                • memory/5044-66-0x00000000009D0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  832KB

                  Download