Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-01-2025 17:39
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20241007-en
General
-
Target
SolaraBootstrapper.exe
-
Size
39.0MB
-
MD5
674c34ea3491bec6673193c5f3e78214
-
SHA1
b5473312a449d5e1f0dec6a9d5c46a7d06708240
-
SHA256
d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6
-
SHA512
2d2ecb4ae7389c85d02d0a39ed64f17e75be6cbb0d55736b908f2f8d56a369d6abfdc6b7e5bf27d9752cb79c8fadefc594d2c7afea1a4a14163af3df7724bc48
-
SSDEEP
786432:FDlzv9s86IICalOSTcIoNT9m6Qe0RbpCiKGBAMmL32h7riJMXsMNV:a8BIXkOfo26SRbdBAFLc7riJ
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2464 CatLoaderv5juju.exe 2332 Bootstrapper.exe 2836 Stub.exe 1204 Process not Found -
Loads dropped DLL 9 IoCs
pid Process 2160 SolaraBootstrapper.exe 2340 Process not Found 2464 CatLoaderv5juju.exe 2836 Stub.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\CatLoaderv5juju.exe SolaraBootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2784 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2904 WMIC.exe Token: SeSecurityPrivilege 2904 WMIC.exe Token: SeTakeOwnershipPrivilege 2904 WMIC.exe Token: SeLoadDriverPrivilege 2904 WMIC.exe Token: SeSystemProfilePrivilege 2904 WMIC.exe Token: SeSystemtimePrivilege 2904 WMIC.exe Token: SeProfSingleProcessPrivilege 2904 WMIC.exe Token: SeIncBasePriorityPrivilege 2904 WMIC.exe Token: SeCreatePagefilePrivilege 2904 WMIC.exe Token: SeBackupPrivilege 2904 WMIC.exe Token: SeRestorePrivilege 2904 WMIC.exe Token: SeShutdownPrivilege 2904 WMIC.exe Token: SeDebugPrivilege 2904 WMIC.exe Token: SeSystemEnvironmentPrivilege 2904 WMIC.exe Token: SeRemoteShutdownPrivilege 2904 WMIC.exe Token: SeUndockPrivilege 2904 WMIC.exe Token: SeManageVolumePrivilege 2904 WMIC.exe Token: 33 2904 WMIC.exe Token: 34 2904 WMIC.exe Token: 35 2904 WMIC.exe Token: SeIncreaseQuotaPrivilege 2904 WMIC.exe Token: SeSecurityPrivilege 2904 WMIC.exe Token: SeTakeOwnershipPrivilege 2904 WMIC.exe Token: SeLoadDriverPrivilege 2904 WMIC.exe Token: SeSystemProfilePrivilege 2904 WMIC.exe Token: SeSystemtimePrivilege 2904 WMIC.exe Token: SeProfSingleProcessPrivilege 2904 WMIC.exe Token: SeIncBasePriorityPrivilege 2904 WMIC.exe Token: SeCreatePagefilePrivilege 2904 WMIC.exe Token: SeBackupPrivilege 2904 WMIC.exe Token: SeRestorePrivilege 2904 WMIC.exe Token: SeShutdownPrivilege 2904 WMIC.exe Token: SeDebugPrivilege 2904 WMIC.exe Token: SeSystemEnvironmentPrivilege 2904 WMIC.exe Token: SeRemoteShutdownPrivilege 2904 WMIC.exe Token: SeUndockPrivilege 2904 WMIC.exe Token: SeManageVolumePrivilege 2904 WMIC.exe Token: 33 2904 WMIC.exe Token: 34 2904 WMIC.exe Token: 35 2904 WMIC.exe Token: SeDebugPrivilege 2332 Bootstrapper.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2464 2160 SolaraBootstrapper.exe 30 PID 2160 wrote to memory of 2464 2160 SolaraBootstrapper.exe 30 PID 2160 wrote to memory of 2464 2160 SolaraBootstrapper.exe 30 PID 2160 wrote to memory of 2464 2160 SolaraBootstrapper.exe 30 PID 2160 wrote to memory of 2332 2160 SolaraBootstrapper.exe 31 PID 2160 wrote to memory of 2332 2160 SolaraBootstrapper.exe 31 PID 2160 wrote to memory of 2332 2160 SolaraBootstrapper.exe 31 PID 2160 wrote to memory of 2332 2160 SolaraBootstrapper.exe 31 PID 2464 wrote to memory of 2836 2464 CatLoaderv5juju.exe 33 PID 2464 wrote to memory of 2836 2464 CatLoaderv5juju.exe 33 PID 2464 wrote to memory of 2836 2464 CatLoaderv5juju.exe 33 PID 2332 wrote to memory of 2868 2332 Bootstrapper.exe 34 PID 2332 wrote to memory of 2868 2332 Bootstrapper.exe 34 PID 2332 wrote to memory of 2868 2332 Bootstrapper.exe 34 PID 2868 wrote to memory of 2784 2868 cmd.exe 36 PID 2868 wrote to memory of 2784 2868 cmd.exe 36 PID 2868 wrote to memory of 2784 2868 cmd.exe 36 PID 2332 wrote to memory of 2876 2332 Bootstrapper.exe 37 PID 2332 wrote to memory of 2876 2332 Bootstrapper.exe 37 PID 2332 wrote to memory of 2876 2332 Bootstrapper.exe 37 PID 2876 wrote to memory of 2904 2876 cmd.exe 39 PID 2876 wrote to memory of 2904 2876 cmd.exe 39 PID 2876 wrote to memory of 2904 2876 cmd.exe 39 PID 2332 wrote to memory of 2140 2332 Bootstrapper.exe 42 PID 2332 wrote to memory of 2140 2332 Bootstrapper.exe 42 PID 2332 wrote to memory of 2140 2332 Bootstrapper.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\CatLoaderv5juju.exe"C:\Windows\CatLoaderv5juju.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\onefile_2464_133802268018576000\Stub.exeC:\Windows\CatLoaderv5juju.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2784
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2332 -s 11323⤵
- Loads dropped DLL
PID:2140
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
Filesize
38.2MB
MD5435ec84a9fa0cd8a5d979f139d529edd
SHA12cd983ba573163cd7cf34ff7e989e4773a1f1465
SHA2566ce7962f45d3739810870c363f2bfab0e9cbfe448e5b5f1e6cfab829df610eb5
SHA5125e138c594b1ac0be97ed772a2007765f5b887a71f4d2a009d5ac37f6074e78fe92a38a1d8abad560e7abfa4b78f7352e18647ec90ca8df4c014e550c1b1fe059
-
Filesize
800KB
MD502c70d9d6696950c198db93b7f6a835e
SHA130231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA2568f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb