Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 23:15
Static task
static1
Behavioral task
behavioral1
Sample
Solaraexecutor.zip
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Solaraexecutor.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
Bootstraper.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
Bootstraper.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral5
Sample
cachehandler.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
Solaraexecutor.zip
-
Size
30.1MB
-
MD5
5b96ce8081bb025c4ad8ae12dc91e102
-
SHA1
8708c3a51d990a437a4fe003c1fe2bc39e2f65cb
-
SHA256
f9e5fe3194d9734845dd782b8e41065577ed7628a112934f1a57599f8dd92209
-
SHA512
39a5e646df49f5c45f24e6aa479dfb40302f939383fdad15d6e3d9de7819aac5a2ec5525fad46ead503fe94d97b11fa587aa0448051d78d37ee8f0f6fdaa146a
-
SSDEEP
786432:3mA77b6IpMM1QvHzoB/h4pUfbRgo0lJBrPCLaBzR8mHl0:X/b6OMM1QvM/4p8R30lju26m6
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 3008 Bootstraper.exe 2728 Bootstraper.exe 2660 Bootstraper.exe 2572 Bootstraper.exe 2652 Bootstraper.exe 1944 Bootstraper.exe 1656 Bootstraper.exe 1480 Bootstraper.exe 2632 Bootstraper.exe 3004 Bootstraper.exe -
Loads dropped DLL 51 IoCs
pid Process 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2432 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 2432 7zFM.exe Token: 35 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe Token: SeSecurityPrivilege 2432 7zFM.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe 2432 7zFM.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2432 wrote to memory of 3008 2432 7zFM.exe 31 PID 2432 wrote to memory of 3008 2432 7zFM.exe 31 PID 2432 wrote to memory of 3008 2432 7zFM.exe 31 PID 2432 wrote to memory of 2728 2432 7zFM.exe 32 PID 2432 wrote to memory of 2728 2432 7zFM.exe 32 PID 2432 wrote to memory of 2728 2432 7zFM.exe 32 PID 2432 wrote to memory of 2660 2432 7zFM.exe 33 PID 2432 wrote to memory of 2660 2432 7zFM.exe 33 PID 2432 wrote to memory of 2660 2432 7zFM.exe 33
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.zip"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\7zO08943337\Bootstraper.exe"C:\Users\Admin\AppData\Local\Temp\7zO08943337\Bootstraper.exe"2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0890D807\Bootstraper.exe"C:\Users\Admin\AppData\Local\Temp\7zO0890D807\Bootstraper.exe"2⤵
- Executes dropped EXE
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\7zO08900517\Bootstraper.exe"C:\Users\Admin\AppData\Local\Temp\7zO08900517\Bootstraper.exe"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:2572
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:2652
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:1944
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:1656
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:1480
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:2632
-
C:\Users\Admin\Desktop\Bootstraper.exe"C:\Users\Admin\Desktop\Bootstraper.exe"1⤵
- Executes dropped EXE
PID:3004
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d