Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 11:13
General
-
Target
Dllhost.exe
-
Size
47KB
-
MD5
44359c5e869c44100cfe1dd316d4f0a2
-
SHA1
26f8aed6286f69c9d9884ffa1c81d931b77e94c1
-
SHA256
503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115
-
SHA512
e3edb5700da4b86ee0ff0e5ba2aff9b2fc2b5107c449cef301c8a6117eaef68ef7b2778d20e7c03a80a44023638faf5a3f5a8536f09996bb1e88fef4ea641210
-
SSDEEP
768:kuMmi+TXEFlvWUjVSNmo2qzeXUvnzy+ueMnPI80LDXBqH500bs1vY/5Z06Kg6BD4:kuMmi+TXGk2fUu+oA80HcFbs5Y/bydcx
Malware Config
Extracted
asyncrat
0.5.8
Default
carolina-reverse.gl.at.ply.gg:34609
T2iVdWpLQAd2
-
delay
3
-
install
true
-
install_file
SolaraUpdateHoster.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
SolaraUpdateHoster.exepid process 3800 SolaraUpdateHoster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3240 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Dllhost.exepid process 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe 4092 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Dllhost.exeSolaraUpdateHoster.exedescription pid process Token: SeDebugPrivilege 4092 Dllhost.exe Token: SeDebugPrivilege 3800 SolaraUpdateHoster.exe Token: SeDebugPrivilege 3800 SolaraUpdateHoster.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Dllhost.execmd.execmd.exedescription pid process target process PID 4092 wrote to memory of 4596 4092 Dllhost.exe cmd.exe PID 4092 wrote to memory of 4596 4092 Dllhost.exe cmd.exe PID 4092 wrote to memory of 4596 4092 Dllhost.exe cmd.exe PID 4092 wrote to memory of 4308 4092 Dllhost.exe cmd.exe PID 4092 wrote to memory of 4308 4092 Dllhost.exe cmd.exe PID 4092 wrote to memory of 4308 4092 Dllhost.exe cmd.exe PID 4308 wrote to memory of 3240 4308 cmd.exe timeout.exe PID 4308 wrote to memory of 3240 4308 cmd.exe timeout.exe PID 4308 wrote to memory of 3240 4308 cmd.exe timeout.exe PID 4596 wrote to memory of 1856 4596 cmd.exe schtasks.exe PID 4596 wrote to memory of 1856 4596 cmd.exe schtasks.exe PID 4596 wrote to memory of 1856 4596 cmd.exe schtasks.exe PID 4308 wrote to memory of 3800 4308 cmd.exe SolaraUpdateHoster.exe PID 4308 wrote to memory of 3800 4308 cmd.exe SolaraUpdateHoster.exe PID 4308 wrote to memory of 3800 4308 cmd.exe SolaraUpdateHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6FE0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6FE0.tmp.batFilesize
162B
MD5d80286cd1d92e7638f2081497541bff7
SHA1483d8704f1c984649622bd8caa9b10d243bddb3f
SHA2564c3d0069686ceffbaec6a47b51dd855f371c7e5b4cb504c07f68190fd804c20d
SHA512ffac814581c3e74fca6edf01d332f58fcca6b2f9e7e9663f28cde7a562df284020e07cc24da7f0b301165144c381c8a6c7197ee02ab69ae89097ce9a0fba46c1
-
C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exeFilesize
47KB
MD544359c5e869c44100cfe1dd316d4f0a2
SHA126f8aed6286f69c9d9884ffa1c81d931b77e94c1
SHA256503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115
SHA512e3edb5700da4b86ee0ff0e5ba2aff9b2fc2b5107c449cef301c8a6117eaef68ef7b2778d20e7c03a80a44023638faf5a3f5a8536f09996bb1e88fef4ea641210
-
memory/3800-16-0x0000000006320000-0x000000000681E000-memory.dmpFilesize
5.0MB
-
memory/3800-17-0x0000000006B20000-0x0000000006B96000-memory.dmpFilesize
472KB
-
memory/3800-18-0x0000000006AB0000-0x0000000006B14000-memory.dmpFilesize
400KB
-
memory/3800-19-0x0000000006C10000-0x0000000006C2E000-memory.dmpFilesize
120KB
-
memory/4092-0-0x0000000073A0E000-0x0000000073A0F000-memory.dmpFilesize
4KB
-
memory/4092-1-0x0000000000070000-0x0000000000082000-memory.dmpFilesize
72KB
-
memory/4092-2-0x0000000073A00000-0x00000000740EE000-memory.dmpFilesize
6.9MB
-
memory/4092-3-0x0000000004860000-0x00000000048C6000-memory.dmpFilesize
408KB
-
memory/4092-4-0x0000000004D30000-0x0000000004DCC000-memory.dmpFilesize
624KB
-
memory/4092-9-0x0000000073A00000-0x00000000740EE000-memory.dmpFilesize
6.9MB