Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 20:44
Behavioral task
behavioral1
Sample
SolaraBootStrapper-main/Bootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SolaraBootStrapper-main/Bootstrapper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
SolaraBootStrapper-main/SolaraBootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
SolaraBootStrapper-main/SolaraBootstrapper.exe
Resource
win10v2004-20241007-en
General
-
Target
SolaraBootStrapper-main/SolaraBootstrapper.exe
-
Size
766KB
-
MD5
d994d58e87f0deda637e325d0a54a347
-
SHA1
8b72ea95b3569ba1ca12cb7ead4edd6e5694614d
-
SHA256
6607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3
-
SHA512
cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9
-
SSDEEP
12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9i8Oj:GnsJ39LyjbJkQFMhmC+6GD9i
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 2184 ._cache_SolaraBootstrapper.exe 1912 Synaptics.exe 2296 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2148 SolaraBootstrapper.exe 2148 SolaraBootstrapper.exe 2148 SolaraBootstrapper.exe 1912 Synaptics.exe 1912 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" SolaraBootstrapper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 raw.githubusercontent.com 8 raw.githubusercontent.com 9 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 644 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2184 ._cache_SolaraBootstrapper.exe 2184 ._cache_SolaraBootstrapper.exe 2296 ._cache_Synaptics.exe 2296 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2184 ._cache_SolaraBootstrapper.exe Token: SeDebugPrivilege 2296 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 644 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2184 2148 SolaraBootstrapper.exe 30 PID 2148 wrote to memory of 2184 2148 SolaraBootstrapper.exe 30 PID 2148 wrote to memory of 2184 2148 SolaraBootstrapper.exe 30 PID 2148 wrote to memory of 2184 2148 SolaraBootstrapper.exe 30 PID 2148 wrote to memory of 1912 2148 SolaraBootstrapper.exe 32 PID 2148 wrote to memory of 1912 2148 SolaraBootstrapper.exe 32 PID 2148 wrote to memory of 1912 2148 SolaraBootstrapper.exe 32 PID 2148 wrote to memory of 1912 2148 SolaraBootstrapper.exe 32 PID 1912 wrote to memory of 2296 1912 Synaptics.exe 33 PID 1912 wrote to memory of 2296 1912 Synaptics.exe 33 PID 1912 wrote to memory of 2296 1912 Synaptics.exe 33 PID 1912 wrote to memory of 2296 1912 Synaptics.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\SolaraBootstrapper.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5d994d58e87f0deda637e325d0a54a347
SHA18b72ea95b3569ba1ca12cb7ead4edd6e5694614d
SHA2566607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3
SHA512cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
Filesize
24KB
MD52bbddd4d9f4f9a5812a4b01845103536
SHA18a76133e8234f1ed909325df46a35dabe0e74222
SHA2569127995c1ceb27ee0fcf9884a77f48c4f7112143e737001d58cb3e0e8a34f3cf
SHA5128bc0226ead3b10521510f510cc181466bd0f46d598ae52b14b0d310b0662639209aa6f82b13872e427f8714293a86d6eda09d226ef1ee580ad2186054357137a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04