Analysis
-
max time kernel
20s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
Solara-V3-main/SolaraBootstrapper.exe
Resource
win7-20240419-en
General
-
Target
Solara-V3-main/SolaraBootstrapper.exe
-
Size
3.5MB
-
MD5
8b8cc7e00f4ae98288bf4b244a6ae4b3
-
SHA1
deed0704178afef55c873a5d124788a771d8548e
-
SHA256
357ff8ff865f8a198e64f081072a8a815139b8e5014d1488671de1b43ac65d0c
-
SHA512
d1c0a018646ea8b43c5200809432898d8cb2e65d5dc46fc1753ea63a11fd49303a92308060291e11fefd42eb4cba0edbba4d990db30b436fde81604466eaa9ff
-
SSDEEP
98304:RUYIGafAzeIA+aFMJrjhOfKBCe1xTdZHYApZx5hQX9wdc:6GaozTA+ayxjdBxjRLS5
Malware Config
Extracted
xworm
3.1
feature-mouse.gl.at.ply.gg:32683
OpwzxvxwPVDjc2iN
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dso.exe family_xworm behavioral2/memory/4748-60-0x0000000000BD0000-0x0000000000BE4000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Solara.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Solara.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Solara.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Solara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Solara.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraBootstrapper.exeSolara.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Solara.exe -
Drops startup file 2 IoCs
Processes:
dso.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dso.lnk dso.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dso.lnk dso.exe -
Executes dropped EXE 4 IoCs
Processes:
SolaraBootstrapper.exeSolara.exedso.exeDSM.exepid process 4160 SolaraBootstrapper.exe 440 Solara.exe 4748 dso.exe 4428 DSM.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Solara.exe themida behavioral2/memory/440-38-0x0000000000400000-0x0000000000D40000-memory.dmp themida behavioral2/memory/440-39-0x0000000000400000-0x0000000000D40000-memory.dmp themida behavioral2/memory/440-67-0x0000000000400000-0x0000000000D40000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dso.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dso.exe" dso.exe -
Processes:
Solara.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Solara.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Solara.exepid process 440 Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Solara.exeDSM.exepid process 440 Solara.exe 440 Solara.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe 4428 DSM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SolaraBootstrapper.exedso.exeDSM.exedescription pid process Token: SeDebugPrivilege 4160 SolaraBootstrapper.exe Token: SeDebugPrivilege 4748 dso.exe Token: SeDebugPrivilege 4428 DSM.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SolaraBootstrapper.exeSolara.exedescription pid process target process PID 2424 wrote to memory of 4160 2424 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 2424 wrote to memory of 4160 2424 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 2424 wrote to memory of 4160 2424 SolaraBootstrapper.exe SolaraBootstrapper.exe PID 2424 wrote to memory of 440 2424 SolaraBootstrapper.exe Solara.exe PID 2424 wrote to memory of 440 2424 SolaraBootstrapper.exe Solara.exe PID 2424 wrote to memory of 440 2424 SolaraBootstrapper.exe Solara.exe PID 440 wrote to memory of 4748 440 Solara.exe dso.exe PID 440 wrote to memory of 4748 440 Solara.exe dso.exe PID 440 wrote to memory of 4428 440 Solara.exe DSM.exe PID 440 wrote to memory of 4428 440 Solara.exe DSM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara-V3-main\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara-V3-main\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dso.exe"C:\Users\Admin\AppData\Local\Temp\dso.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DSM.exe"C:\Users\Admin\AppData\Local\Temp\DSM.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DSM.exeFilesize
39KB
MD5b3501528f9225a7c79d3a66be3d46b96
SHA1439194554b7f3c27827194419bf4aadce5a3660f
SHA256b64482d679099d51a635927f6130cb570a5156db3429d90c5e7836a43f3133fd
SHA5126749f941841566b6c155d2e9164232c77984f8bc630a9b9a574eb5b099992dbfbb42b85f09c10140ba4701cf63c1a6c92b71b45eb039e43951193b9d0da05bff
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrcFilesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrcFilesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrcFilesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSEFilesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
C:\Users\Admin\AppData\Local\Temp\Solara.exeFilesize
3.5MB
MD52e0766b026ab0bf5f5753389a60ddb66
SHA157b7e98c37b500a0fc1a917298ee8d60e1b6b6ca
SHA256626e4402dccea8da97f170b6c82d991e67fd617576723ae9f77014e002fad556
SHA51278f2e2a8701c5ac3191de5032c0aef9bf8d0f90f17536919d8b39f48719c17e2f4a5ff7f8ecd620f79778cad981ed194f95ca369779bcbc78da8cfe03d557919
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exeFilesize
13KB
MD50cc81729f4bd4a6eac95cc442bc8df2a
SHA15d5f367e720684dd64cfb5340d9911ec0782fdac
SHA25692960ae4a38d896418a14a1db5ba1547aa273443790e858d00dac4ce64550c2a
SHA512f6fc1fca47e4620e24652d8dc2aa88cdd7363172b31122c05d262349aeec88407a2b3fbbc4e4834c359960d4981fb9f674cfbfd9d5743dc917df72a3ebfb3c90
-
C:\Users\Admin\AppData\Local\Temp\dso.exeFilesize
55KB
MD5de0f468b18c8727b40b23042ce759aee
SHA132a5cd273bf1ca869338d72fd268209622baab78
SHA256aadc390e9793c43fd7b8e149558e8f59a800a8d2764b0333b5a8111d982ddf75
SHA5128daf550e9b2d3540921d039b9b1a41cc1fbd8ea9481f62129b3388a732cffb1c55acc0544a3c67d629a692a9dc7332dcfe14655b389f362c7884b93a1c6f85d0
-
memory/440-33-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/440-36-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/440-67-0x0000000000400000-0x0000000000D40000-memory.dmpFilesize
9.2MB
-
memory/440-35-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/440-34-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/440-68-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/440-31-0x0000000077180000-0x0000000077181000-memory.dmpFilesize
4KB
-
memory/440-27-0x0000000000400000-0x0000000000D40000-memory.dmpFilesize
9.2MB
-
memory/440-38-0x0000000000400000-0x0000000000D40000-memory.dmpFilesize
9.2MB
-
memory/440-39-0x0000000000400000-0x0000000000D40000-memory.dmpFilesize
9.2MB
-
memory/440-40-0x0000000005280000-0x000000000531C000-memory.dmpFilesize
624KB
-
memory/2424-28-0x00007FFF00A50000-0x00007FFF01511000-memory.dmpFilesize
10.8MB
-
memory/2424-11-0x00007FFF00A50000-0x00007FFF01511000-memory.dmpFilesize
10.8MB
-
memory/2424-1-0x0000000000030000-0x00000000003C2000-memory.dmpFilesize
3.6MB
-
memory/2424-0-0x00007FFF00A53000-0x00007FFF00A55000-memory.dmpFilesize
8KB
-
memory/4160-29-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/4160-71-0x0000000005C30000-0x0000000005C42000-memory.dmpFilesize
72KB
-
memory/4160-32-0x0000000077160000-0x0000000077250000-memory.dmpFilesize
960KB
-
memory/4160-30-0x0000000002BE0000-0x0000000002BEA000-memory.dmpFilesize
40KB
-
memory/4160-26-0x00000000009A0000-0x00000000009AA000-memory.dmpFilesize
40KB
-
memory/4160-1516-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/4428-66-0x0000000000890000-0x000000000089E000-memory.dmpFilesize
56KB
-
memory/4748-60-0x0000000000BD0000-0x0000000000BE4000-memory.dmpFilesize
80KB