| download: | /Rederax01/Solara-Executor/releases/download/v2.1/Solara.zip |
| Full analysis: | https://app.any.run/tasks/6bb7f59c-9429-4948-aa48-6fafb89b3235 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 28, 2024, 18:17:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | CAEFBAC898BE006F73F0529B77207B57 |
| SHA1: | 6C2CAE98A31C0E635ADCB47B6DA55DB4BBBC21BD |
| SHA256: | E0EFB9A458BAF57F1D729BC3569BCC53119594A08C8DC84B4C397D10C11D21E4 |
| SSDEEP: | 24576:RcPWiTwaY+DSIb24Go/3uvxTooTz6D9Jf7sX:RcPWCwaYiSIb24Go/3uvxTooTz6D9Jfc |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3392)
- luajit.exe (PID: 3092)
Connects to the CnC server
- luajit.exe (PID: 3092)
SMARTLOADER has been detected (SURICATA)
- luajit.exe (PID: 3092)
Uses Task Scheduler to run other applications
- luajit.exe (PID: 3092)
SUSPICIOUS
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 2440)
- cmd.exe (PID: 3336)
Reads the Internet Settings
- cmd.exe (PID: 2440)
- wscript.exe (PID: 996)
- luajit.exe (PID: 3092)
The process executes VB scripts
- cmd.exe (PID: 2440)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 996)
Executing commands from a ".bat" file
- wscript.exe (PID: 996)
Runs shell command (SCRIPT)
- wscript.exe (PID: 996)
Reads security settings of Internet Explorer
- luajit.exe (PID: 3092)
Checks Windows Trust Settings
- luajit.exe (PID: 3092)
Reads settings of System Certificates
- luajit.exe (PID: 3092)
Checks for external IP
- luajit.exe (PID: 3092)
Executable content was dropped or overwritten
- luajit.exe (PID: 3092)
Connects to the server without a host name
- luajit.exe (PID: 3092)
Adds/modifies Windows certificates
- luajit.exe (PID: 3092)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 3332)
- luajit.exe (PID: 3092)
Checks supported languages
- wmpnscfg.exe (PID: 3332)
- luajit.exe (PID: 3092)
- luajit.exe (PID: 4012)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3392)
Manual execution by a user
- notepad++.exe (PID: 3192)
- wmpnscfg.exe (PID: 3332)
- notepad++.exe (PID: 2956)
- cmd.exe (PID: 2440)
- luajit.exe (PID: 4012)
Checks proxy server information
- luajit.exe (PID: 3092)
Reads the machine GUID from the registry
- luajit.exe (PID: 3092)
Creates files or folders in the user directory
- luajit.exe (PID: 3092)
Creates files in the program directory
- luajit.exe (PID: 3092)
Reads the software policy settings
- luajit.exe (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:06:01 00:36:18 |
| ZipCRC: | 0x510e1df6 |
| ZipCompressedSize: | 76270 |
| ZipUncompressedSize: | 160045 |
| ZipFileName: | conf |
Total processes
58
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 996 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" | C:\Windows\System32\wscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2080 | "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2136 | "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2440 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Launcher.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2956 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Launcher.bat" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 3092 | luajit.exe conf | C:\Users\admin\Desktop\luajit.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 3192 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Launcher.bat" "C:\Users\admin\Desktop\lua51.dll" "C:\Users\admin\Desktop\luajit.exe" "C:\Users\admin\Desktop\conf" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 3332 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3336 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\Desktop\Launcher.bat | C:\Windows\System32\cmd.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3392 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Solara.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
14 238
Read events
14 122
Write events
106
Delete events
10
Modification events
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Solara.zip | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3392) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
4
Suspicious files
14
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3392.49084\luajit.exe | executable | |
MD5:DD98A43CB27EFD5BCC29EFB23FDD6CA5 | SHA256:1CF20B8449EA84C684822A5E8AB3672213072DB8267061537D1CE4EC2C30C42A | |||
| 3392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3392.49084\conf | binary | |
MD5:BDEC530C93A6D9DEA9FB4EA147F1F44C | SHA256:4464BE92E1A9C00E808FE6913AFE721743E3E5F7693EDB944499E3700EA6A308 | |||
| 3192 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:75DAF0C838CA0F9DAA89D4074A504E1B | SHA256:97901B6DEF410AA997B0E91A0FD0947EB3A26B7D5C83FD7228FDE04F981AC53C | |||
| 3392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3392.49084\lua51.dll | executable | |
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88 | SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60 | |||
| 2440 | cmd.exe | C:\Users\admin\AppData\Local\Temp\getadmin.vbs | text | |
MD5:D14A6C18536B08C2D91CC10129CEC2CA | SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D | |||
| 3092 | luajit.exe | C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf | binary | |
MD5:BDEC530C93A6D9DEA9FB4EA147F1F44C | SHA256:4464BE92E1A9C00E808FE6913AFE721743E3E5F7693EDB944499E3700EA6A308 | |||
| 3192 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:E411038CB522ACE29E3EEB9AAE1E52CF | SHA256:93E5EFE56C30898CACC18863AD09007816E5455F4833D561D82A83C9757CE472 | |||
| 3092 | luajit.exe | C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\lua51.dll | executable | |
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88 | SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60 | |||
| 3092 | luajit.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].json | binary | |
MD5:49722A290DC6AFDE289B50278B0EE604 | SHA256:E661EBDE7612D1047D3BBE405DD895941817D88B9840A6B928BBA42E94E5A5CF | |||
| 3092 | luajit.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C | binary | |
MD5:B7ACB791FC30F01B9C3791F62F641D57 | SHA256:107C3FC9C586F563933E094E2B3083BEB4BFD305A70E4AE6B412B60A016EF1DB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
22
DNS requests
12
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 23.50.131.211:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.53.41.90:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
3092 | luajit.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | — | — | unknown |
3092 | luajit.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 23.50.131.203:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd | unknown | — | — | unknown |
3092 | luajit.exe | GET | 301 | 140.82.121.4:80 | http://github.com/user-attachments/files/16020023/gid.txt | unknown | — | — | unknown |
3092 | luajit.exe | PUT | 200 | 194.87.199.37:80 | http://194.87.199.37/api/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
3092 | luajit.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D | unknown | — | — | unknown |
3092 | luajit.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2564 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1372 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1372 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1372 | svchost.exe | 23.50.131.211:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 23.53.41.90:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3092 | luajit.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ip-api.com |
| shared |
ocsp.digicert.com |
| whitelisted |
github.com |
| shared |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3092 | luajit.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
3092 | luajit.exe | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |
3092 | luajit.exe | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|