| File name: | Solara V3.1.exe |
| Full analysis: | https://app.any.run/tasks/716ad994-090c-48ea-b340-2397479360c3 |
| Verdict: | Malicious activity |
| Threats: | Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. |
| Analysis date: | August 17, 2024, 21:22:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows |
| MD5: | 24E180584C4CFDE257C20DAB08F58CD6 |
| SHA1: | 9E657BA36A9CB9CE6150CFFFEAB8911B9FD524D2 |
| SHA256: | 63A6E5F571E5A68ABB14C08B1A44DEF5FAE8808EC3DE7DD6AE3461D6BFB92F67 |
| SSDEEP: | 196608:ZxrQtdgQ5/EjYhvPDY6PoyLojNhrAGdnaHxLjFbWXL7ISq1OCDhgxKl+n9KBS3TE:s3pagkBhXaHS5qrDb30TqgM28 |
MALICIOUS
Connects to the CnC server
- explorer.exe (PID: 6436)
MINER has been detected (SURICATA)
- svchost.exe (PID: 2256)
- explorer.exe (PID: 6436)
SUSPICIOUS
Drops the executable file immediately after the start
- Solara V3.1.exe (PID: 6316)
- updater.exe (PID: 7092)
Starts SC.EXE for service management
- cmd.exe (PID: 2876)
- cmd.exe (PID: 2536)
Deletes scheduled task without confirmation
- schtasks.exe (PID: 6600)
Uses powercfg.exe to modify the power settings
- cmd.exe (PID: 6616)
- cmd.exe (PID: 1964)
The process executes via Task Scheduler
- updater.exe (PID: 7092)
Potential Corporate Privacy Violation
- explorer.exe (PID: 6436)
Crypto Currency Mining Activity Detected
- svchost.exe (PID: 2256)
- explorer.exe (PID: 6436)
Executable content was dropped or overwritten
- updater.exe (PID: 7092)
Drops a system driver (possible attempt to evade defenses)
- updater.exe (PID: 7092)
INFO
Checks supported languages
- Solara V3.1.exe (PID: 6316)
- updater.exe (PID: 7092)
Manual execution by a user
- cmd.exe (PID: 2876)
- powershell.exe (PID: 6228)
- cmd.exe (PID: 6616)
- schtasks.exe (PID: 6600)
- schtasks.exe (PID: 5180)
- schtasks.exe (PID: 7024)
- powershell.exe (PID: 7128)
- cmd.exe (PID: 7012)
- explorer.exe (PID: 6436)
- cmd.exe (PID: 2536)
- cmd.exe (PID: 1964)
- schtasks.exe (PID: 6128)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6228)
- powershell.exe (PID: 7128)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6228)
- powershell.exe (PID: 7128)
Create files in a temporary directory
- Solara V3.1.exe (PID: 6316)
Creates files in the program directory
- Solara V3.1.exe (PID: 6316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.4 |
| CodeSize: | 32256 |
| InitializedDataSize: | 46329856 |
| UninitializedDataSize: | 7680 |
| EntryPoint: | 0x12fd |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
157
Monitored processes
46
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 320 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1048 | sc stop WaaSMedicSvc | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 1062 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1680 | powercfg /x -hibernate-timeout-ac 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1964 | C:\WINDOWS\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2204 | powercfg /x -standby-timeout-dc 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2228 | powercfg /x -standby-timeout-dc 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2272 | sc stop dosvc | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 1062 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2536 | C:\WINDOWS\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1062 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 952
Read events
16 944
Write events
8
Delete events
0
Modification events
| (PID) Process: | (7128) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (7128) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (7128) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (7128) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
2
Suspicious files
2
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6316 | Solara V3.1.exe | C:\Program Files\Google\Chrome\updater.exe | — | |
MD5:— | SHA256:— | |||
| 6228 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:227E059F5F4CB877120A8AEDE5154B20 | SHA256:98B1084B51B8D73495C98C1C84E166DCCCAF182738924237429808FEFDA6897E | |||
| 7128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_oqbvrczz.u4c.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bnc1gw4y.l3h.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rdm0mnow.yfj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6316 | Solara V3.1.exe | C:\Users\admin\AppData\Local\Temp\lrawooqqncrp.xml | xml | |
MD5:546D67A48FF2BF7682CEA9FAC07B942E | SHA256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A | |||
| 7128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_nwf04laz.r23.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_irmhmir3.a5p.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_oa2nabsf.dpi.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7092 | updater.exe | C:\Windows\Temp\lrawooqqncrp.xml | xml | |
MD5:546D67A48FF2BF7682CEA9FAC07B942E | SHA256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
40
DNS requests
8
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 104.126.37.161:443 | https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=gb&setlang=en-us | unknown | binary | 578 b | — |
— | — | POST | 204 | 104.126.37.153:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | — |
— | — | GET | 200 | 104.126.37.163:443 | https://th.bing.com/th?id=ODSWG.a63c4ede-672e-4b0b-b035-e0f9aa973fce&c=1&rs=1&p=0 | unknown | image | 1.05 Kb | — |
— | — | GET | 200 | 104.126.37.145:443 | https://www.bing.com/manifest/threshold.appcache | unknown | text | 3.36 Kb | — |
— | — | GET | 200 | 104.126.37.136:443 | https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=GB&setlang=en-us&clientDateTime=8%2F17%2F2024%2C%209%3A25%3A16%20PM | unknown | text | 139 Kb | — |
— | — | GET | 200 | 104.126.37.145:443 | https://th.bing.com/th?id=OCGE.9pmdcq52j3hj_v4_main&w=86&h=86&c=1&rs=1&p=0 | unknown | image | 18.4 Kb | — |
— | — | GET | 200 | 104.126.37.123:443 | https://th.bing.com/th?id=OBTQ.BT8A637C4771E9805EA03709A47C002080434E29E39CB57E1B0082756FF1EF1CFC&w=124&h=154&c=1&rs=1&p=0 | unknown | image | 4.81 Kb | — |
— | — | POST | 200 | 52.182.143.209:443 | https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176 | unknown | — | — | — |
— | — | GET | 200 | 104.126.37.155:443 | https://th.bing.com/th?id=ODSWG.f1fae55d-6e2a-421d-ac5e-0dd33e4571df&w=124&h=154&c=1&rs=1&p=0 | unknown | image | 6.24 Kb | — |
— | — | GET | 200 | 104.126.37.145:443 | https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w | unknown | s | 21.4 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6436 | explorer.exe | 95.179.241.203:443 | pool.hashvault.pro | AS-CHOOPA | DE | unknown |
6436 | explorer.exe | 45.76.89.70:443 | pool.hashvault.pro | AS-CHOOPA | DE | unknown |
5336 | SearchApp.exe | 104.126.37.123:443 | www.bing.com | Akamai International B.V. | DE | unknown |
5336 | SearchApp.exe | 104.126.37.153:443 | th.bing.com | Akamai International B.V. | DE | unknown |
5336 | SearchApp.exe | 52.182.143.209:443 | browser.pipe.aria.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
pool.hashvault.pro |
| whitelisted |
www.bing.com |
| whitelisted |
th.bing.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
r.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Crypto Currency Mining Activity Detected | ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6436 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
1 ETPRO signatures available at the full report