Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-3h44vaeb8w
Target Solar DDoS .exe
SHA256 38a9ddba74d032618c410df6e10e289b45a12b015b7469f09d0842c8135d625c
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

38a9ddba74d032618c410df6e10e289b45a12b015b7469f09d0842c8135d625c

Threat Level: Likely malicious

The file Solar DDoS .exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Sets file to hidden

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Uses Task Scheduler COM API

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:31

Reported

2024-04-06 23:44

Platform

win11-20240221-en

Max time kernel

455s

Max time network

750s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\kos\\$77kos.exe\"" C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2496 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2496 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\kos\$77kos.exe
PID 2496 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\kos\$77kos.exe
PID 1880 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1880 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\System32\schtasks.exe
PID 1880 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\kos\$77kos.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe

"C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\kos"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\kos\$77kos.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAC4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\kos\$77kos.exe

"C:\Users\Admin\AppData\Roaming\kos\$77kos.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77kos.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77kos.exe" /TR "C:\Users\Admin\AppData\Roaming\kos\$77kos.exe \"\$77kos.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77kos.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "kos_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 162.238.154.3:9999 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3828-0-0x00000000007B0000-0x00000000007C0000-memory.dmp

memory/3828-1-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

memory/3828-2-0x000000001C4C0000-0x000000001C4D0000-memory.dmp

memory/3828-3-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBAC4.tmp.bat

MD5 e82027de50eba6aa53231c8367c5f4e8
SHA1 92c584517d6c251ba371ecd5321adedc5f634d35
SHA256 62d33aa832c4c175a97b1553f68a447fd8106c595648712ab3ac4f0918d69ebf
SHA512 d1595a13580bc2c342aca35f86725fd32cdf681f4cbe3f9d6d3de85728777dade19acd2cd1c3dad162d228208bfafd1e45502017788ddf46c25310b7400f841e

memory/3828-9-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\kos\$77kos.exe

MD5 d27af5bf398e286fe09e1a17a825fce7
SHA1 4e329e946f25b81e3ac5bd2da916f3af8f11c429
SHA256 38a9ddba74d032618c410df6e10e289b45a12b015b7469f09d0842c8135d625c
SHA512 12bdfdf3ee0d0034539648f69d328138a170a4822aefd4740d4902452184b36ccb09d9997ede49dd73e9ccfb6e6e42ca42b967cbb7ae4e4211d47d26adfce248

memory/1880-13-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

memory/1880-14-0x000000001BDD0000-0x000000001BDE0000-memory.dmp

memory/4120-15-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

memory/4120-16-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp

memory/4120-25-0x000001BAB0530000-0x000001BAB0552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml0dgjnm.cmo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4120-26-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp

memory/4120-27-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp

memory/4120-30-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

memory/1880-31-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp

memory/1880-32-0x000000001BDD0000-0x000000001BDE0000-memory.dmp