Resubmissions
26/02/2025, 17:11
250226-vqhltawyfy 3Analysis
-
max time kernel
91s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
solara.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
solara.exe
Resource
win10v2004-20250217-en
General
-
Target
solara.exe
-
Size
5.0MB
-
MD5
490c2bb3790ac4202ab4ba700e2058a7
-
SHA1
25de62792ba828dab9e74edf121bdf8e8ff0f0f2
-
SHA256
d1a7c1e5ecdc4376b07913434048d2625def43e46504715a7a6600505319ad51
-
SHA512
59fecb83e64abdc5da339cb1506832418ccf99d5c0bf5c46e2359b7f4674381784e3d621df0bebc107e17d728c8ec6ba672f5e5e88a7183c562541bb7a56d1bf
-
SSDEEP
98304:FtNUK2yL5IrA3ocpcRDL+O14UndAtax4bmtQHgNByxuq4aX7lvECX+e0+Y:FzU5yt53oUIX+ggtax4bKQHgN/arpE4+
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1968 4372 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language solara.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1272 msedge.exe 1272 msedge.exe 2892 msedge.exe 2892 msedge.exe 3548 identity_helper.exe 3548 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4372 solara.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 4712 2892 msedge.exe 93 PID 2892 wrote to memory of 4712 2892 msedge.exe 93 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 4024 2892 msedge.exe 94 PID 2892 wrote to memory of 1272 2892 msedge.exe 95 PID 2892 wrote to memory of 1272 2892 msedge.exe 95 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96 PID 2892 wrote to memory of 3544 2892 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 11282⤵
- Program crash
PID:1968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 43721⤵PID:1336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd9b0146f8,0x7ffd9b014708,0x7ffd9b0147182⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:12⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5968521147827679164,2408372528793691794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:2080
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:696
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53c6e13dc1762aa873320bed152204f3c
SHA138df427d38ca5ce6ce203490a9fb8461c7444e12
SHA2565c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371
SHA512133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c
-
Filesize
152B
MD5f5da507c2059b715761792e7106405f0
SHA1a277fd608467c5a666cf4a4a3e16823b93c6777f
SHA2568c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8
SHA51201c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870
-
Filesize
6KB
MD58db0aff3c20a98705f371ee7d56a083c
SHA1970042ce98a0b62ce42d30dc18fb155dfdf9821e
SHA25668abce19f2422355ef1b661582f9e2420e489fae7f4f7dc3a5d566f2e2133ae3
SHA512d62699dc33e7e79db37c3d193f8a3576341a2b5a37a4e668ec593dd40ce2497067cd7df48220633f65c99dac72847af711276d83712b2417b385db91f33714bb
-
Filesize
6KB
MD587865d3439a14d0254e74d88a191a543
SHA195d2be41a28a585e4fe263b38f10a1e70c56a0ba
SHA256e97dfad7390eca4e2808b50f4403f90f64e3a366ed9989bf880901584b93e65a
SHA512810802112dda0a00552ceb0f8d16514209a56aced695f6e0dcfbfe86e8e9b58e24d8cace620723675d22aff04337e0b04bf908d678c448bbe294dc76fc60c468
-
Filesize
6KB
MD5b8d4fbbae614d6111ff38c915167a5c2
SHA1ea55a2400ca4415ac134a0a283037bd8e4d0b209
SHA25632332d6c43503e41f610024dc393d48bacae95aff3903e86b1f2c5977a379975
SHA5126b84eb413b9533b87c3fb7ed270c5d4c14ee747a2225855d7a6569d8ac136928ea2a54c5df44118725b4fe9b4e7e388674ee0d5f449999ab7376ec946d56c37e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5b167dd008aa7f14d2c6729c9d30f739e
SHA10d07646c6cc31016946b164c0d04639d3ebff50e
SHA256a67f38e932d1f972c690e90ccffbc0d12a85cb473fc07b5fb8e5df9966877657
SHA512da7c9ca3305b964769cd3294428803163c5402f37cb8f1b583279f91a2a4b95b5a6c07c09bc7f68534cd15591e78511c0a649519a9754dd70d56f142d277743a
-
Filesize
8KB
MD53ac3201b03df65a0be78356117886d23
SHA172189aad8f8a92d23618a4074d257a3eabe5313d
SHA25653fe4cb88c9934a89f24b0a4f875cced5eb8f4140487e2c7c4fd35224a725ef9
SHA5124cf36949b959b208dd6e15740364a4f2a8946963ebb0a8aad341cbd84872bcde60293794d0c71bce108f8d7e19f13572e0ef008b3ba7c78ba4f0f5cfaa2c03b2