Analysis Overview
SHA256
38a9ddba74d032618c410df6e10e289b45a12b015b7469f09d0842c8135d625c
Threat Level: Likely malicious
The file Solar DDoS .exe was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Uses Task Scheduler COM API
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:31
Reported
2024-04-06 23:44
Platform
win11-20240221-en
Max time kernel
455s
Max time network
750s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kos\$77kos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\kos\\$77kos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\kos\$77kos.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kos\$77kos.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe
"C:\Users\Admin\AppData\Local\Temp\Solar DDoS .exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\kos"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\kos\$77kos.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAC4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\kos\$77kos.exe
"C:\Users\Admin\AppData\Roaming\kos\$77kos.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77kos.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77kos.exe" /TR "C:\Users\Admin\AppData\Roaming\kos\$77kos.exe \"\$77kos.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77kos.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "kos_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 162.238.154.3:9999 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/3828-0-0x00000000007B0000-0x00000000007C0000-memory.dmp
memory/3828-1-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
memory/3828-2-0x000000001C4C0000-0x000000001C4D0000-memory.dmp
memory/3828-3-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBAC4.tmp.bat
| MD5 | e82027de50eba6aa53231c8367c5f4e8 |
| SHA1 | 92c584517d6c251ba371ecd5321adedc5f634d35 |
| SHA256 | 62d33aa832c4c175a97b1553f68a447fd8106c595648712ab3ac4f0918d69ebf |
| SHA512 | d1595a13580bc2c342aca35f86725fd32cdf681f4cbe3f9d6d3de85728777dade19acd2cd1c3dad162d228208bfafd1e45502017788ddf46c25310b7400f841e |
memory/3828-9-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\kos\$77kos.exe
| MD5 | d27af5bf398e286fe09e1a17a825fce7 |
| SHA1 | 4e329e946f25b81e3ac5bd2da916f3af8f11c429 |
| SHA256 | 38a9ddba74d032618c410df6e10e289b45a12b015b7469f09d0842c8135d625c |
| SHA512 | 12bdfdf3ee0d0034539648f69d328138a170a4822aefd4740d4902452184b36ccb09d9997ede49dd73e9ccfb6e6e42ca42b967cbb7ae4e4211d47d26adfce248 |
memory/1880-13-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
memory/1880-14-0x000000001BDD0000-0x000000001BDE0000-memory.dmp
memory/4120-15-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
memory/4120-16-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp
memory/4120-25-0x000001BAB0530000-0x000001BAB0552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml0dgjnm.cmo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4120-26-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp
memory/4120-27-0x000001BAB05E0000-0x000001BAB05F0000-memory.dmp
memory/4120-30-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
memory/1880-31-0x00007FFC22E30000-0x00007FFC238F2000-memory.dmp
memory/1880-32-0x000000001BDD0000-0x000000001BDE0000-memory.dmp