| File name: | SolaraV3.dll |
| Full analysis: | https://app.any.run/tasks/7a831ae1-196e-4122-b588-45eef18916cf |
| Verdict: | Malicious activity |
| Analysis date: | October 03, 2024, 03:01:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| MD5: | 004327062FD3EDC40CD4F9A8D483B609 |
| SHA1: | 107FAF407891F04E66B9E4E193DA2BF76F38E92D |
| SHA256: | 6E905CEB8B5392B2C9B5A4F310309C8A8FFD1B1BEE4F07EF7EF98F350EB0963F |
| SSDEEP: | 98304:EhLDaePOgHxRijiQPFqhBWMwY3KNiMWeo32PYq1DxHgPhS+CJbi60kiB4A4jP6FX:KMO1O6i0bzoPu |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes application which crashes
- rundll32.exe (PID: 608)
The process creates files with name similar to system file names
- WerFault.exe (PID: 5152)
INFO
Checks proxy server information
- WerFault.exe (PID: 5152)
Reads the software policy settings
- WerFault.exe (PID: 5152)
Creates files or folders in the user directory
- WerFault.exe (PID: 5152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:08:10 15:58:58+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, DLL |
| PEType: | PE32+ |
| LinkerVersion: | 14.39 |
| CodeSize: | 4978688 |
| InitializedDataSize: | 1795584 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc8e058 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
124
Monitored processes
2
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 608 | "C:\WINDOWS\System32\rundll32.exe" C:\Users\admin\Desktop\SolaraV3.dll, #1 | C:\Windows\System32\rundll32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 3 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5152 | C:\WINDOWS\system32\WerFault.exe -u -p 608 -s 724 | C:\Windows\System32\WerFault.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 417
Read events
6 417
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sol_13cabc6c57b5c7fcc7963ca2fd60a6c4df642_58144731_d6800d49-0bee-4131-a397-8b7544d953c4\Report.wer | — | |
MD5:— | SHA256:— | |||
| 5152 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\rundll32.exe.608.dmp | — | |
MD5:— | SHA256:— | |||
| 5152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER65BD.tmp.WERInternalMetadata.xml | xml | |
MD5:AA3BB0FBB6B7BD5FADDF4F7B4F845E58 | SHA256:7110CA8F0121D097D6124CBF06E498F0AC25CE43C887129CCBFB441B2F32A192 | |||
| 5152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER65DD.tmp.xml | xml | |
MD5:5C452B3A2D45201AF2D34839C0DD5EEA | SHA256:8DA7238DECA510CD8A8BDB201859AB69B0F0192AB9051DF0F22A7CF66DC9D3BA | |||
| 5152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER64F1.tmp.dmp | binary | |
MD5:F3193D536362BCDACF0F7524E8D4A5B8 | SHA256:D8CFB6822BC1AA5B54B62844A89EE47813807AA321D8105655487ED2D9D3C706 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5000 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5000 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
608 | rundll32.exe | 172.67.203.125:443 | getsolara.dev | CLOUDFLARENET | US | malicious |
5000 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5152 | WerFault.exe | 20.189.173.20:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
getsolara.dev |
| malicious |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |