Overview

overview

10

Static

static

3

Solaris.exe

windows10-ltsc_2021-x64

10

Resubmissions

04/04/2025, 01:22

250404-brjeysxwaz 10

04/04/2025, 01:20

250404-bqbcyszlz2 10

04/04/2025, 01:18

250404-bnzyjaxvgs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solaris_real.zip

  • Size

    7.2MB

  • Sample

    250404-bnzyjaxvgs

  • MD5

    2c13fdab896f85fc7a87cdda76455996

  • SHA1

    886a23d58a658d740719bc56ce80780e6ad6be1f

  • SHA256

    a1f1f23d1080f1a68fb21018fab72c45b6d528c1a06a6391487c19a0c7aa2451

  • SHA512

    9fbd1ef2136f0cf0151a87c8f3bc9c72b88c1bdc4015059396e7c75fae71b8f44a87be7f556254f98d41084b973ecef9424974e2191f9cfa3ffee9d0d5b97362

  • SSDEEP

    196608:ORlEkg3BzkjoKEhgmdT4YMgBcj9sKOAOISlFk/kiMX26H:ORl+3BooHGKT446j/OoSlFCkip6H

Score
10/10
bootkitdiscoveryexecutionpersistenceupx

Malware Config

Targets

    • Target

      Solaris.exe

    • Size

      7.2MB

    • MD5

      54259a70a86ba3add0d89979e62854cd

    • SHA1

      7e4045edace566fbf9a0260d57b0f682f06a7e6b

    • SHA256

      b0433f33e6ff471fb357941a07d5262e61ed6999d8d025031c2029092f4bfacc

    • SHA512

      c553fc6aaacfc6d8bfce08e8636fd42fd98a40d6ff2c671e8ae82635894aed5c14eb50ce0fe811da89f8bc5a2a885d2a911ca086bf9a1dce290b75985d4b235d

    • SSDEEP

      196608:WRhEG05ltetqEG/gGhj8aAkF8BpM8koCeIXFark6i9y8z:WRhG5lsqP4Yj8keBBkOIXFGk638z

    Score
    10/10
    bootkitdiscoveryexecutionpersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks