822b6bd963cba3c0762d3ddfa83b070c33d9b90eedba798fa5d5436aae491a19

General

Target

Solara1.25.exe
Size

71.8MB
MD5

6b32177d5218d0f5158eb91bfcc54c15
SHA1

19d0b30aa6fe9a5bbc9b583bbd48b70861420b4a
SHA256

822b6bd963cba3c0762d3ddfa83b070c33d9b90eedba798fa5d5436aae491a19
SHA512

39db07ff94dcc915f221f558f69590d32f0fae09bcd2b6d9c2ad01d2af83ef5dca5adbcb3a5d3837aad586232bec400ea8733bfd10c1fb7207017c67e81b171d
SSDEEP

1572864:v9JxSm1WIacirAH8+1osuTCSxOB6xMLiIpB2qHWB75ilQhmqZ8Qry4hlDVgc:fzZRS6xjKcBa6/2qHO5iopyQry4bB

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara1.25.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara1.25.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara1.25.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara1.25.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara1.25.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara1.25.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	Solara1.25.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2280-0-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2280-3-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2280-2-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2764-1158-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2764-1160-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2764-1161-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2280-1164-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2764-1165-0x0000000140000000-0x0000000140945000-memory.dmp	themida
behavioral1/memory/2280-2320-0x0000000140000000-0x0000000140945000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara1.25.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara1.25.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2280	Solara1.25.exe
2764	Solara1.25.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2764	2280	Solara1.25.exe	31
PID 2280 wrote to memory of 2764	2280	Solara1.25.exe	31
PID 2280 wrote to memory of 2764	2280	Solara1.25.exe	31

C:\Users\Admin\AppData\Local\Temp\Solara1.25.exe
"C:\Users\Admin\AppData\Local\Temp\Solara1.25.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\Solara1.25.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara1.25.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22802\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
memory/2280-3-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2280-2-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2280-1-0x0000000077A70000-0x0000000077A72000-memory.dmp

Filesize
8KB

Download
memory/2280-2320-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2280-1157-0x0000000002560000-0x0000000002EA5000-memory.dmp

Filesize
9.3MB

Download
memory/2280-0-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2280-1164-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2764-1159-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/2764-1161-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2764-1160-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2764-1165-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download
memory/2764-1166-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/2764-1158-0x0000000140000000-0x0000000140945000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads