Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 11:10
General
-
Target
Dllhost.exe
-
Size
47KB
-
MD5
e15052ab153401b16594f794a424d048
-
SHA1
31cab904e1f3bce48ce9bac3d794771943e50588
-
SHA256
e32914230692a86ded5fb3da76281331b1453e44b731ad92ed5c49b5ca723946
-
SHA512
12d89b33423167b5ad6aef5a1feae65b3d47abb2999a6bf3bb503b96f74b58db9adb2855cc161d58cb068851e69ff030c47327968be69ab68126ec9c13d377aa
-
SSDEEP
768:8uQSNTvEEaBrWUXFd5mo2qmi8xwdH9NXSPI2CDcGT40b2j1UvGzHx9mvBDZkx:8uQSNT8572xpKHDD1vb2YGzLmZdkx
Malware Config
Extracted
asyncrat
0.5.8
Default
carolina-reverse.gl.at.ply.gg:34609
DL8q7udp2Hxw
-
delay
3
-
install
true
-
install_file
SolaraHoster.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SolaraHoster.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
SolaraHoster.exepid process 3856 SolaraHoster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3692 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Dllhost.exepid process 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe 4452 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Dllhost.exeSolaraHoster.exedescription pid process Token: SeDebugPrivilege 4452 Dllhost.exe Token: SeDebugPrivilege 3856 SolaraHoster.exe Token: SeDebugPrivilege 3856 SolaraHoster.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Dllhost.execmd.execmd.exedescription pid process target process PID 4452 wrote to memory of 4608 4452 Dllhost.exe cmd.exe PID 4452 wrote to memory of 4608 4452 Dllhost.exe cmd.exe PID 4452 wrote to memory of 4608 4452 Dllhost.exe cmd.exe PID 4452 wrote to memory of 192 4452 Dllhost.exe cmd.exe PID 4452 wrote to memory of 192 4452 Dllhost.exe cmd.exe PID 4452 wrote to memory of 192 4452 Dllhost.exe cmd.exe PID 192 wrote to memory of 3692 192 cmd.exe timeout.exe PID 192 wrote to memory of 3692 192 cmd.exe timeout.exe PID 192 wrote to memory of 3692 192 cmd.exe timeout.exe PID 4608 wrote to memory of 4356 4608 cmd.exe schtasks.exe PID 4608 wrote to memory of 4356 4608 cmd.exe schtasks.exe PID 4608 wrote to memory of 4356 4608 cmd.exe schtasks.exe PID 192 wrote to memory of 3856 192 cmd.exe SolaraHoster.exe PID 192 wrote to memory of 3856 192 cmd.exe SolaraHoster.exe PID 192 wrote to memory of 3856 192 cmd.exe SolaraHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SolaraHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraHoster.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "SolaraHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraHoster.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp854D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\SolaraHoster.exe"C:\Users\Admin\AppData\Roaming\SolaraHoster.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp854D.tmp.batFilesize
156B
MD5a74f0945740c700d2e973cb492d6ffc3
SHA160a5859e35acb1ebd3118bcdcd9ce0b7c4ee365a
SHA256a879d79e2c6b55e1eeee0c95f657a0c0ed6438cb0eec95e12d863cde8c106d72
SHA512fff86a9d572a829cec0ebc5ccfa62dc05c1c8437daa102aaf8ce7f2a29ec48c750b83b856390cd6788edf29eb344b470895e2d803ad5bc4e89d5acd3e0ee153e
-
C:\Users\Admin\AppData\Roaming\SolaraHoster.exeFilesize
47KB
MD5e15052ab153401b16594f794a424d048
SHA131cab904e1f3bce48ce9bac3d794771943e50588
SHA256e32914230692a86ded5fb3da76281331b1453e44b731ad92ed5c49b5ca723946
SHA51212d89b33423167b5ad6aef5a1feae65b3d47abb2999a6bf3bb503b96f74b58db9adb2855cc161d58cb068851e69ff030c47327968be69ab68126ec9c13d377aa
-
memory/3856-16-0x0000000006330000-0x000000000682E000-memory.dmpFilesize
5.0MB
-
memory/4452-0-0x000000007343E000-0x000000007343F000-memory.dmpFilesize
4KB
-
memory/4452-1-0x0000000000C70000-0x0000000000C82000-memory.dmpFilesize
72KB
-
memory/4452-2-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4452-3-0x0000000005460000-0x00000000054C6000-memory.dmpFilesize
408KB
-
memory/4452-4-0x0000000005940000-0x00000000059DC000-memory.dmpFilesize
624KB
-
memory/4452-9-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB