File name:

SolaraB2.zip

Full analysis: https://app.any.run/tasks/e3d92429-e9db-4ed3-adda-84c5f7f52ecb
Verdict: Malicious activity
Analysis date: June 28, 2024, 13:36:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qrcode
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

EA418B261E24A56105A6D328B60E9CC7

SHA1:

4F89568A40FFF23B381EB1009A764CC7EAF6580C

SHA256:

DA9098D4713D46C44B95758BDF17E3D2FA1633B3130C7BE47B7111132DC051FF

SSDEEP:

6144:/tRudIww5pmYY6XcHQGeWwYg17lPS3otHCsJZgTxHoJNrgnHwbqhYB2N:lRudIJ5K6XcHbKPXHCsJWsN8nQbqR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2716)
      • msiexec.exe (PID: 1764)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1764)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1160)
      • msiexec.exe (PID: 3136)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • wevtutil.exe (PID: 4316)
      • msiexec.exe (PID: 3136)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1764)

  • INFO

    • Manual execution by a user

      • SolaraBootstrapper.exe (PID: 4020)
      • SolaraBootstrapper.exe (PID: 3836)

    • Disables trace logs

      • SolaraBootstrapper.exe (PID: 3836)

    • Checks supported languages

      • SolaraBootstrapper.exe (PID: 3836)
      • msiexec.exe (PID: 1764)
      • msiexec.exe (PID: 1160)
      • msiexec.exe (PID: 4124)
      • msiexec.exe (PID: 3136)

    • Reads the computer name

      • SolaraBootstrapper.exe (PID: 3836)
      • msiexec.exe (PID: 1764)
      • msiexec.exe (PID: 4124)
      • msiexec.exe (PID: 1160)
      • msiexec.exe (PID: 3136)

    • Reads the machine GUID from the registry

      • SolaraBootstrapper.exe (PID: 3836)
      • msiexec.exe (PID: 1764)

    • Checks proxy server information

      • SolaraBootstrapper.exe (PID: 3836)

    • Create files in a temporary directory

      • SolaraBootstrapper.exe (PID: 3836)

    • Reads Environment values

      • SolaraBootstrapper.exe (PID: 3836)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2716)
      • msiexec.exe (PID: 1764)

    • Reads the software policy settings

      • SolaraBootstrapper.exe (PID: 3836)
      • msiexec.exe (PID: 1764)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1764)

    • Application launched itself

      • msiexec.exe (PID: 1764)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:16 14:45:06
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: SolaraB2/Solara/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs solarabootstrapper.exe no specs solarabootstrapper.exe conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
836"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64C:\Windows\System32\wevtutil.exewevtutil.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
1160C:\Windows\syswow64\MsiExec.exe -Embedding 859FCA382EB46E4B3778F81B52763FFBC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1764C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2716"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\SolaraB2.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3136C:\Windows\syswow64\MsiExec.exe -Embedding E144E1DA6DF9C2758144F7BE43F1375E E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSolaraBootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3836"C:\Users\admin\Desktop\SolaraB2\Solara\SolaraBootstrapper.exe" C:\Users\admin\Desktop\SolaraB2\Solara\SolaraBootstrapper.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
SolaraBootstrapper
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\solarab2\solara\solarabootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4020"C:\Users\admin\Desktop\SolaraB2\Solara\SolaraBootstrapper.exe" C:\Users\admin\Desktop\SolaraB2\Solara\SolaraBootstrapper.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SolaraBootstrapper
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\solarab2\solara\solarabootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4124C:\Windows\System32\MsiExec.exe -Embedding DD8350DD887737EF946D26327A1D2950C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4316"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"C:\Windows\SysWOW64\wevtutil.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
Total events
17 192
Read events
14 242
Write events
2 941
Delete events
9

Modification events

(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SolaraB2.zip
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
21
Suspicious files
946
Text files
1 322
Unknown types
21

Dropped files

PID
Process
Filename
Type
3836SolaraBootstrapper.exeC:\Users\admin\AppData\Local\Temp\node-v18.16.0-x64.msi
MD5:
SHA256:
1764msiexec.exeC:\WINDOWS\Installer\1c7a48.msi
MD5:
SHA256:
2716WinRAR.exeC:\Users\admin\Desktop\SolaraB2\Solara\SolaraBootstrapper.exeexecutable
MD5:36B62BA7D1B5E149A2C297F11E0417EE
SHA256:8353C5ACE62FDA6ABA330FB3396E4AAB11D7E0476F815666BD96A978724B9E0C
1764msiexec.exeC:\WINDOWS\Installer\MSI81DD.tmpbinary
MD5:5A2696196EF55AB94914A7EADDA9F0E0
SHA256:BBE5C74C298BB9C83275BCAB455914EA9D1D5CA6D5054AF02FCDE09F57DFC586
1764msiexec.exeC:\WINDOWS\Installer\MSI84AC.tmpexecutable
MD5:7A86CE1A899262DD3C1DF656BFF3FB2C
SHA256:B8F2D0909D7C2934285A8BE010D37C0609C7854A36562CBFCBCE547F4F4C7B0C
1764msiexec.exeC:\WINDOWS\TEMP\~DF7167D6611B2A9653.TMPbinary
MD5:E861201C10B208BB28F97D6A733C96FF
SHA256:FA9EE4A9B4DD847637CF39032D5F435399627DF4334A766F8D42A0C41A74707B
1764msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5binary
MD5:1AC6432A61B99FF8A736169A1133DABC
SHA256:C2E13FA0EF6324626497D3FAC35A480C8A70455BFA179E0A1BE85AA3C0D906A7
1764msiexec.exeC:\WINDOWS\Installer\MSI7C8A.tmpexecutable
MD5:9FE9B0ECAEA0324AD99036A91DB03EBB
SHA256:E2CCE64916E405976A1D0C522B44527D12B1CBA19DE25DA62121CF5F41D184C9
1764msiexec.exeC:\WINDOWS\Installer\MSI84EC.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
1764msiexec.exeC:\WINDOWS\Installer\inprogressinstallinfo.ipibinary
MD5:E861201C10B208BB28F97D6A733C96FF
SHA256:FA9EE4A9B4DD847637CF39032D5F435399627DF4334A766F8D42A0C41A74707B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
76
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2476
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
unknown
2476
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
314 b
unknown
2044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
unknown
2044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
unknown
3224
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
unknown
2624
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
unknown
1764
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
US
binary
471 b
unknown
1764
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAOO2y%2FG5AVzGnYPFRYUTIU%3D
US
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3396
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4524
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
2476
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2476
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2476
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
3040
OfficeClickToRun.exe
104.208.16.88:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4656
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.131
  • 104.126.37.184
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.161
  • 104.126.37.170
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r.bing.com
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.184
  • 104.126.37.171
  • 2.23.209.148
  • 2.23.209.140
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.133
  • 2.23.209.176
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SolaraB2.zip