cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.rar
Size

2.5MB
MD5

3917140ba46745b8a852fc8c48718a78
SHA1

97000a0f43db8aaccd780feb9f9ec444dbb7ff94
SHA256

cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202
SHA512

5395b5b0cc573dba93b525db6d8630ab8eb21ac786d5850d89417608878c4be2fb1395dca66f5169a7ca26bca4cfbf26c75ed2dfb99e00b97ede211e88b9eb7d
SSDEEP

49152:+DkoW+7VTfW3zxmowokKsca1oLOgi3ZI13FwhvkhO2fEK3QeFwzt5h5Hn3YigNR:+DHWi+VMokKscGOOgeiheGOuFMh93YLn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2612 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

rundll32.exevlc.exe

pid process

2748 rundll32.exe
2612 vlc.exe
Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

vlc.exe

pid process

2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
Suspicious use of SendNotifyMessage 14 IoCs

Processes:

vlc.exe

pid process

2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
2612 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2612 vlc.exe

pid	process
2612	vlc.exe

pid	process
2748	rundll32.exe
2612	vlc.exe

pid	process
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe

pid	process
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe
2612	vlc.exe

pid	process
2612	vlc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1936 wrote to memory of 2748	1936	cmd.exe	rundll32.exe
PID 1936 wrote to memory of 2748	1936	cmd.exe	rundll32.exe
PID 1936 wrote to memory of 2748	1936	cmd.exe	rundll32.exe
PID 2748 wrote to memory of 2772	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 2772	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 2772	2748	rundll32.exe	rundll32.exe
PID 2772 wrote to memory of 2612	2772	rundll32.exe	vlc.exe
PID 2772 wrote to memory of 2612	2772	rundll32.exe	vlc.exe
PID 2772 wrote to memory of 2612	2772	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.rar
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.rar
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.rar"
4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1740

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-46-0x000000013F790000-0x000000013F888000-memory.dmp

Filesize
992KB

Download
memory/2612-47-0x000007FEF5580000-0x000007FEF55B4000-memory.dmp

Filesize
208KB

Download
memory/2612-48-0x000007FEF52C0000-0x000007FEF5576000-memory.dmp

Filesize
2.7MB

Download
memory/2612-49-0x000007FEF4020000-0x000007FEF50D0000-memory.dmp

Filesize
16.7MB

Download