Overview
overview
10Static
static
10Solara.exe
windows11-21h2-x64
10WindowsManager.dll
windows11-21h2-x64
1assets/Tap...er.dll
windows11-21h2-x64
1assets/WSe...in.dll
windows11-21h2-x64
7assets/Wpc...el.dll
windows11-21h2-x64
1assets/WsUpgrade.dll
windows11-21h2-x64
7library/AR...et.dll
windows11-21h2-x64
1library/Autofac.dll
windows11-21h2-x64
1library/Ga...rm.dll
windows11-21h2-x64
1library/Ga...ht.dll
windows11-21h2-x64
1Analysis
-
max time kernel
89s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2024 10:45
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
WindowsManager.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
assets/TapInstaller.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
assets/WSearchMigPlugin.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
assets/WpcMigration.Uplevel.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
assets/WsUpgrade.dll
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
library/ARSoft.Tools.Net.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
library/Autofac.dll
Resource
win11-20241023-en
Behavioral task
behavioral9
Sample
library/GalaSoft.MvvmLight.Platform.dll
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
library/GalaSoft.MvvmLight.dll
Resource
win11-20241007-en
General
-
Target
assets/WsUpgrade.dll
-
Size
201KB
-
MD5
9d99b0e88cc4eaa43141dea9e31ed3be
-
SHA1
442e48476650e97cfac8e8088a7315b9804be0c1
-
SHA256
061de26f44da62a17eecb71f078ef90a9c8784e7c58500984314c74b32c12e46
-
SHA512
2a0cd7adf67e535cf4a40988d6da4ee69970694875504ea7f7e68cef19e01675557bd3021d867c2bb837d1c3e8287d710259c921967324255c53d0351c6d48df
-
SSDEEP
3072:a0qV+qDh/7k8Rr92ZSbTP6c27UxDOUreaNQbmOhG7/tfxvharBjnt:a0qVHV1IwTPrFtOe/tzarB7
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 27 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\AppID = "{b147aea4-d71d-4715-be15-becc101ac2c9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wsupgrade.DLL\AppID = "{b147aea4-d71d-4715-be15-becc101ac2c9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin\CurVer\ = "WsUpgrade.WsUpgradePlugin.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin\ = "CWsUpgradePlugin Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\InprocServer32\ThreadingModel = "free" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\ = "CWsUpgradePlugin Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\VersionIndependentProgID\ = "WsUpgrade.WsUpgradePlugin" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\assets\\WsUpgrade.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{b147aea4-d71d-4715-be15-becc101ac2c9}\ = "WsUpgradePlugin" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{b147aea4-d71d-4715-be15-becc101ac2c9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin.1\ = "CWsUpgradePlugin Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin.1\CLSID\ = "{8707fcd0-e62a-4451-b224-7707ffe1c286}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\ProgID\ = "WsUpgrade.WsUpgradePlugin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\TypeLib\ = "{B147AEA4-D71D-4715-BE15-BECC101AC2C9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wsupgrade.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WsUpgrade.WsUpgradePlugin\CLSID\ = "{8707fcd0-e62a-4451-b224-7707ffe1c286}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8707fcd0-e62a-4451-b224-7707ffe1c286}\Programmable regsvr32.exe