da485f602448b5e9d1aeb7fffb94fb5515bb319476ecb6c9e159cef8d96bb46a

Analysis

max time kernel
559s
max time network
547s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UpdateV4.zip
Size

175.2MB
MD5

bf3b4184c09f57a735a28200e974f861
SHA1

1184d6af33e3a7da4e49c40999bb643042c6dc4c
SHA256

da485f602448b5e9d1aeb7fffb94fb5515bb319476ecb6c9e159cef8d96bb46a
SHA512

ba403e78816e3bd109199490d7e7c1406810989d762055587f64c35ab50cc561c930d49210bd3e19f035af32077711b05f040ae49938749792c0578fdd603df8
SSDEEP

3145728:iEZR9BCohjY/J2JCiC2ZKbKIsFfsfgSwkJf7jLrjWKrpbT9XmT4BCohjY/J2JCiL:iEZR5hjSJF2s25NsISxWKrZxwyhjSJFi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Solara.exe

pid	Process
432	Solara.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
4720	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

taskmgr.exe

pid	Process
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
1004	7zFM.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7zFM.exetaskmgr.exe7zG.exe7zG.exe

description	pid	Process
Token: SeRestorePrivilege	1004	7zFM.exe
Token: 35	1004	7zFM.exe
Token: SeSecurityPrivilege	1004	7zFM.exe
Token: SeDebugPrivilege	3580	taskmgr.exe
Token: SeSystemProfilePrivilege	3580	taskmgr.exe
Token: SeCreateGlobalPrivilege	3580	taskmgr.exe
Token: 33	3580	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3580	taskmgr.exe
Token: SeRestorePrivilege	5092	7zG.exe
Token: 35	5092	7zG.exe
Token: SeSecurityPrivilege	5092	7zG.exe
Token: SeSecurityPrivilege	5092	7zG.exe
Token: SeRestorePrivilege	892	7zG.exe
Token: 35	892	7zG.exe
Token: SeSecurityPrivilege	892	7zG.exe
Token: SeSecurityPrivilege	892	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

7zFM.exetaskmgr.exe7zG.exe7zG.exe

pid	Process
1004	7zFM.exe
1004	7zFM.exe
1004	7zFM.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
5092	7zG.exe
892	7zG.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

taskmgr.exe

pid	Process
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe
3580	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE
4720	EXCEL.EXE

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\UpdateV4.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1004

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\DenyUninstall.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap16308:100:7zEvent8300
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\New_Update\" -spe -an -ai#7zMap4552:100:7zEvent11069
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:892

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Executes dropped EXE
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Key_File\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local_DB\Binn_DB\Resources\ru-RU\SqlUserInstance.dll

Filesize
150KB

MD5
423671a408eedd5e51f4d4f6a3de4589

SHA1
7a96a2c6e2381e78bdd152e3caef75146460f488

SHA256
b62fab3be134e7765720c0eb579be5a65ae719771b1e39c14ac39958d554b90e

SHA512
4e9aa8c9ff248d4ec86d79b8515dbe51fa30aa5b28124a2c1872270c30e7887c1d49c573116237f393c29ef431b97110212fdac9d3a27134b6effdc5d373c11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New_Update\ClientSDK\80\COM\sqlvdi.dll

Filesize
200KB

MD5
5fca59a96ad276ee95bc6ab297c3b374

SHA1
08cf8d5ddf77fb7b51e210a316b5f89b81acb514

SHA256
19e4a2a8676a9f4a488d67f1f7e44bf8a013f0ab5c51d7a0d4911e4b2300e2d6

SHA512
83dffee067f9b6e5349e3b3f4db469ff9e44028e1ccfbcea8b89d2ee3946b75c31aff4a2f04058e22cbf7afe663f650a105c14e1dd9ee096d4d026da0023ff56

Download Submit
C:\Users\Admin\AppData\Local\Temp\New_Update\License Terms\150\LocalDB\Binn\localdbxeventconfig.xml

Filesize
1KB

MD5
e880d4f5587eb5d0aaa1b3e9b6a67df1

SHA1
abdc8cdf87375d70b5c135930737c50021d2cf2c

SHA256
93185d3e7a527c760f2e9b98704b8c93ae7a7e30ad52dfb21f1e1ea5238be7e2

SHA512
e6a365b32a4294fc0b68b1a1e47af5a14e081e78eb3b5c1428477f596719ac46c957f514317d95a204ded340ec585126a8da5a8dede1fa02b2dc8e328e4c24ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\New_Update\SDK\100\KeyFile\1033\sqlsysclrtypes_keyfile.dll

Filesize
13KB

MD5
166a4eb063fbff4d85b7647b9b3819b0

SHA1
1738ea07615836656f9d5579e1de65a1a9fa6ca4

SHA256
c51a51d4e3734765d1352dbf09511e49a2773b3d6bd9a704ee664fb8e3059e42

SHA512
d178a00dd133698bc04c9d641c4c77cd6547c05e2fb4b81d9b86db53b12ee49def2496360eee2d8b84c7461adc1db8cc0f1632d6bd8938957fb34880e8df992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New_Update\SDK\Assemblies\Microsoft.SqlServer.Types.dll

Filesize
374KB

MD5
25656a196ed967bcd4b152a4073b8b44

SHA1
a9b64b8a42c9da3243378f2a17a9ff8057154116

SHA256
36c3e5efd0731ccf5ac9a341c488b4fd14c69747f5a3f6e4cd976a7c1288b3b0

SHA512
3903556d2130a219e9795856a14eb28926e3b798eabfe96353300ccc1c11925aff2f417c9ca588f2ddd0df47d6a64517980a39752edade9ad725f6ee4aa16383

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
346B

MD5
018848bd432a23f3a9f63c8a50791c11

SHA1
c6db9c489b01c5e75c1dfa768319574d6eb275f8

SHA256
89ad860e7edcf615cc94fbe61be49b7cc0ec8c741a524b89db2e174220072587

SHA512
627d2308e7a6d111bfa27f5d41f9ed965c8a18babebb02c3e81177e6c55c0242a098eb64befd8884a087a18f9ef5436ce5f21931330db50b7ab317ce5ac34f11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
1ef0ffca0674cc3bbff66f8588f71a50

SHA1
37f4b1f88e0a0b9cb083d4ffe04112767dd3a14c

SHA256
7c610db1821b4f12e84d810e8683fb8672229d840d1d5091ae21482ffdda73a8

SHA512
fc3233fc4c843ef12351754ef4886f060e0ab7b4fb75425dd66618b292f26268b3c4debeb8477acef2835e51b8326c6fd2ce2e797cca9b4f606fb78a037331e3

Download Submit
memory/432-829-0x000001D2B3570000-0x000001D2B4570000-memory.dmp

Filesize
16.0MB

Download
memory/3580-11-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-13-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-4-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-3-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-14-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-12-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-2-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-10-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-8-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/3580-9-0x00000239A30A0000-0x00000239A30A1000-memory.dmp

Filesize
4KB

Download
memory/4720-21-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

Filesize
64KB

Download
memory/4720-20-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

Filesize
64KB

Download
memory/4720-17-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

Filesize
64KB

Download
memory/4720-15-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

Filesize
64KB

Download
memory/4720-19-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

Filesize
64KB

Download
memory/4720-18-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

Filesize
64KB

Download
memory/4720-16-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

Filesize
64KB

Download