Analysis Overview
SHA256
503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115
Threat Level: Known bad
The file Dllhost.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Async RAT payload
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-21 11:13
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 11:13
Reported
2024-06-21 11:15
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6FE0.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"'
C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | carolina-reverse.gl.at.ply.gg | udp |
| US | 147.185.221.20:34609 | carolina-reverse.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.20:34609 | carolina-reverse.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/4092-0-0x0000000073A0E000-0x0000000073A0F000-memory.dmp
memory/4092-1-0x0000000000070000-0x0000000000082000-memory.dmp
memory/4092-2-0x0000000073A00000-0x00000000740EE000-memory.dmp
memory/4092-3-0x0000000004860000-0x00000000048C6000-memory.dmp
memory/4092-4-0x0000000004D30000-0x0000000004DCC000-memory.dmp
memory/4092-9-0x0000000073A00000-0x00000000740EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6FE0.tmp.bat
| MD5 | d80286cd1d92e7638f2081497541bff7 |
| SHA1 | 483d8704f1c984649622bd8caa9b10d243bddb3f |
| SHA256 | 4c3d0069686ceffbaec6a47b51dd855f371c7e5b4cb504c07f68190fd804c20d |
| SHA512 | ffac814581c3e74fca6edf01d332f58fcca6b2f9e7e9663f28cde7a562df284020e07cc24da7f0b301165144c381c8a6c7197ee02ab69ae89097ce9a0fba46c1 |
C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
| MD5 | 44359c5e869c44100cfe1dd316d4f0a2 |
| SHA1 | 26f8aed6286f69c9d9884ffa1c81d931b77e94c1 |
| SHA256 | 503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115 |
| SHA512 | e3edb5700da4b86ee0ff0e5ba2aff9b2fc2b5107c449cef301c8a6117eaef68ef7b2778d20e7c03a80a44023638faf5a3f5a8536f09996bb1e88fef4ea641210 |
memory/3800-16-0x0000000006320000-0x000000000681E000-memory.dmp
memory/3800-17-0x0000000006B20000-0x0000000006B96000-memory.dmp
memory/3800-18-0x0000000006AB0000-0x0000000006B14000-memory.dmp
memory/3800-19-0x0000000006C10000-0x0000000006C2E000-memory.dmp