Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 20:42
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20241007-en
General
-
Target
SolaraBootstrapper.exe
-
Size
766KB
-
MD5
d994d58e87f0deda637e325d0a54a347
-
SHA1
8b72ea95b3569ba1ca12cb7ead4edd6e5694614d
-
SHA256
6607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3
-
SHA512
cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9
-
SSDEEP
12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9i8Oj:GnsJ39LyjbJkQFMhmC+6GD9i
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 2392 ._cache_SolaraBootstrapper.exe 2712 Synaptics.exe 2876 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2080 SolaraBootstrapper.exe 2080 SolaraBootstrapper.exe 2080 SolaraBootstrapper.exe 2712 Synaptics.exe 2712 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" SolaraBootstrapper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 raw.githubusercontent.com 9 raw.githubusercontent.com 11 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_SolaraBootstrapper.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2624 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2392 ._cache_SolaraBootstrapper.exe 2392 ._cache_SolaraBootstrapper.exe 2876 ._cache_Synaptics.exe 2876 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2392 ._cache_SolaraBootstrapper.exe Token: SeDebugPrivilege 2876 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2624 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2392 2080 SolaraBootstrapper.exe 31 PID 2080 wrote to memory of 2392 2080 SolaraBootstrapper.exe 31 PID 2080 wrote to memory of 2392 2080 SolaraBootstrapper.exe 31 PID 2080 wrote to memory of 2392 2080 SolaraBootstrapper.exe 31 PID 2080 wrote to memory of 2712 2080 SolaraBootstrapper.exe 33 PID 2080 wrote to memory of 2712 2080 SolaraBootstrapper.exe 33 PID 2080 wrote to memory of 2712 2080 SolaraBootstrapper.exe 33 PID 2080 wrote to memory of 2712 2080 SolaraBootstrapper.exe 33 PID 2712 wrote to memory of 2876 2712 Synaptics.exe 34 PID 2712 wrote to memory of 2876 2712 Synaptics.exe 34 PID 2712 wrote to memory of 2876 2712 Synaptics.exe 34 PID 2712 wrote to memory of 2876 2712 Synaptics.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\._cache_SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\._cache_SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5d994d58e87f0deda637e325d0a54a347
SHA18b72ea95b3569ba1ca12cb7ead4edd6e5694614d
SHA2566607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3
SHA512cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97