Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 11:14
Static task
static1
General
-
Target
XSolaraBoostraper.exe
-
Size
897KB
-
MD5
9726caf5c97e4fa4729e053b90aaf022
-
SHA1
ecdcfe0c4160de078339c46ed18ae224a6e4e95b
-
SHA256
983a63b1512fde7fa38311ecffb3c95ee6c65a9cf1146da42d80d22b55ea6507
-
SHA512
13461b63c230c2cdd913296e9a687380f8d17d2f94ef1f5067b9a5341c16ded897faaa6646e7d703aa81fb3e29e0dd62a9992f59dfdeda161635ff660d6fd29b
-
SSDEEP
12288:L4VR00Rn1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:L9O1mzgH385QojA1j855xSHI
Malware Config
Extracted
asyncrat
0.5.8
Default
carolina-reverse.gl.at.ply.gg:34609
T2iVdWpLQAd2
-
delay
3
-
install
true
-
install_file
SolaraUpdateHoster.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\DLLHOST.EXE family_asyncrat -
Executes dropped EXE 3 IoCs
Processes:
DLLHOST.EXESOLARABOOTSTRAPPER.EXESolaraUpdateHoster.exepid process 2168 DLLHOST.EXE 2472 SOLARABOOTSTRAPPER.EXE 300 SolaraUpdateHoster.exe -
Loads dropped DLL 11 IoCs
Processes:
XSolaraBoostraper.execmd.exeMsiExec.exeMsiExec.exeWerFault.exepid process 1908 XSolaraBoostraper.exe 1908 XSolaraBoostraper.exe 1748 cmd.exe 2040 MsiExec.exe 2040 MsiExec.exe 1420 MsiExec.exe 2788 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 11 284 msiexec.exe 12 284 msiexec.exe 14 284 msiexec.exe 16 284 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI2B0C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2B8A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2BAA.tmp msiexec.exe File created C:\Windows\Installer\f762701.msi msiexec.exe File opened for modification C:\Windows\Installer\f762701.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2788 2472 WerFault.exe SOLARABOOTSTRAPPER.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 888 timeout.exe -
Processes:
SOLARABOOTSTRAPPER.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SOLARABOOTSTRAPPER.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SOLARABOOTSTRAPPER.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SOLARABOOTSTRAPPER.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SOLARABOOTSTRAPPER.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SOLARABOOTSTRAPPER.EXEDLLHOST.EXEpid process 2472 SOLARABOOTSTRAPPER.EXE 2472 SOLARABOOTSTRAPPER.EXE 2168 DLLHOST.EXE 2168 DLLHOST.EXE 2168 DLLHOST.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
SOLARABOOTSTRAPPER.EXEDLLHOST.EXEmsiexec.exemsiexec.exeSolaraUpdateHoster.exedescription pid process Token: SeDebugPrivilege 2472 SOLARABOOTSTRAPPER.EXE Token: SeDebugPrivilege 2168 DLLHOST.EXE Token: SeShutdownPrivilege 1000 msiexec.exe Token: SeIncreaseQuotaPrivilege 1000 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeSecurityPrivilege 284 msiexec.exe Token: SeCreateTokenPrivilege 1000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1000 msiexec.exe Token: SeLockMemoryPrivilege 1000 msiexec.exe Token: SeIncreaseQuotaPrivilege 1000 msiexec.exe Token: SeMachineAccountPrivilege 1000 msiexec.exe Token: SeTcbPrivilege 1000 msiexec.exe Token: SeSecurityPrivilege 1000 msiexec.exe Token: SeTakeOwnershipPrivilege 1000 msiexec.exe Token: SeLoadDriverPrivilege 1000 msiexec.exe Token: SeSystemProfilePrivilege 1000 msiexec.exe Token: SeSystemtimePrivilege 1000 msiexec.exe Token: SeProfSingleProcessPrivilege 1000 msiexec.exe Token: SeIncBasePriorityPrivilege 1000 msiexec.exe Token: SeCreatePagefilePrivilege 1000 msiexec.exe Token: SeCreatePermanentPrivilege 1000 msiexec.exe Token: SeBackupPrivilege 1000 msiexec.exe Token: SeRestorePrivilege 1000 msiexec.exe Token: SeShutdownPrivilege 1000 msiexec.exe Token: SeDebugPrivilege 1000 msiexec.exe Token: SeAuditPrivilege 1000 msiexec.exe Token: SeSystemEnvironmentPrivilege 1000 msiexec.exe Token: SeChangeNotifyPrivilege 1000 msiexec.exe Token: SeRemoteShutdownPrivilege 1000 msiexec.exe Token: SeUndockPrivilege 1000 msiexec.exe Token: SeSyncAgentPrivilege 1000 msiexec.exe Token: SeEnableDelegationPrivilege 1000 msiexec.exe Token: SeManageVolumePrivilege 1000 msiexec.exe Token: SeImpersonatePrivilege 1000 msiexec.exe Token: SeCreateGlobalPrivilege 1000 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeDebugPrivilege 300 SolaraUpdateHoster.exe Token: SeDebugPrivilege 300 SolaraUpdateHoster.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
XSolaraBoostraper.exeDLLHOST.EXEcmd.execmd.exeSOLARABOOTSTRAPPER.EXEmsiexec.exedescription pid process target process PID 1908 wrote to memory of 2168 1908 XSolaraBoostraper.exe DLLHOST.EXE PID 1908 wrote to memory of 2168 1908 XSolaraBoostraper.exe DLLHOST.EXE PID 1908 wrote to memory of 2168 1908 XSolaraBoostraper.exe DLLHOST.EXE PID 1908 wrote to memory of 2168 1908 XSolaraBoostraper.exe DLLHOST.EXE PID 1908 wrote to memory of 2472 1908 XSolaraBoostraper.exe SOLARABOOTSTRAPPER.EXE PID 1908 wrote to memory of 2472 1908 XSolaraBoostraper.exe SOLARABOOTSTRAPPER.EXE PID 1908 wrote to memory of 2472 1908 XSolaraBoostraper.exe SOLARABOOTSTRAPPER.EXE PID 1908 wrote to memory of 2472 1908 XSolaraBoostraper.exe SOLARABOOTSTRAPPER.EXE PID 2168 wrote to memory of 2580 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 2580 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 2580 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 2580 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 1748 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 1748 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 1748 2168 DLLHOST.EXE cmd.exe PID 2168 wrote to memory of 1748 2168 DLLHOST.EXE cmd.exe PID 2580 wrote to memory of 2776 2580 cmd.exe schtasks.exe PID 2580 wrote to memory of 2776 2580 cmd.exe schtasks.exe PID 2580 wrote to memory of 2776 2580 cmd.exe schtasks.exe PID 2580 wrote to memory of 2776 2580 cmd.exe schtasks.exe PID 1748 wrote to memory of 888 1748 cmd.exe timeout.exe PID 1748 wrote to memory of 888 1748 cmd.exe timeout.exe PID 1748 wrote to memory of 888 1748 cmd.exe timeout.exe PID 1748 wrote to memory of 888 1748 cmd.exe timeout.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 2472 wrote to memory of 1000 2472 SOLARABOOTSTRAPPER.EXE msiexec.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 1748 wrote to memory of 300 1748 cmd.exe SolaraUpdateHoster.exe PID 284 wrote to memory of 2040 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 2040 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 2040 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 2040 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 2040 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 284 wrote to memory of 1420 284 msiexec.exe MsiExec.exe PID 2472 wrote to memory of 2788 2472 SOLARABOOTSTRAPPER.EXE WerFault.exe PID 2472 wrote to memory of 2788 2472 SOLARABOOTSTRAPPER.EXE WerFault.exe PID 2472 wrote to memory of 2788 2472 SOLARABOOTSTRAPPER.EXE WerFault.exe PID 2472 wrote to memory of 2788 2472 SOLARABOOTSTRAPPER.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe"C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE"C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 15643⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 1CA0125E8199866971F351DB27B1CE032⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BB52325938AA245C85DCE9A4666F31152⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5cf16eef62236eac156cbe2960ecf06e1
SHA1a50341fcb4c7cb0ad827fe0185e57ee68536f9e4
SHA2565b18b3d9b673401d775630a5abf9dabcd1aba916c8ae903e3073d13ca1cc6fe0
SHA5127482e5f3d8fe4fdfce18d29fef2a42cf1c72d35fd2c0439aca30a6599d332b9342f5bb5f238f6ef880f53141b0b204de2ac80357e23ddeae0f1bb6f9c731217d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5062b6606b5d6fc33cbe3b7505d571c04
SHA1f6eab92b1700c239e63c4a3cfa9bf32d3957d7b5
SHA2562ae7502c49ddea8c2163f67c6a22e950a43871374efd33817ac76636334ec7fa
SHA512ef4c6cdcca8589b4e811f06ab689dada40575e556ae11a420560069919bf62c8abf801b2185d02ceaa353f7090f6135aa5d35f643be28e05b7df8c76c8cd9bc3
-
C:\Users\Admin\AppData\Local\Temp\Tar1A8A.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msiFilesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.batFilesize
162B
MD5d6c6ccee9561c48c16b3ea7f980d3db1
SHA1a61e943f64d7622001294768c88c24e093795505
SHA256678638abe3a0d55f9173fc75405c68624a554f57d2d55d43ed7a1c90434f805b
SHA512d82858e37df15598ebb45335ec5d1d4850a2e034084a71882dd9315f8fb4cbfe4e140e61dd7a52f8cb5e9605d2d92349e1f26692d6a1e4b271f96cfe54472ec8
-
C:\Windows\Installer\MSI2B0C.tmpFilesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
C:\Windows\Installer\MSI2BAA.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
\Users\Admin\AppData\Local\Temp\DLLHOST.EXEFilesize
47KB
MD544359c5e869c44100cfe1dd316d4f0a2
SHA126f8aed6286f69c9d9884ffa1c81d931b77e94c1
SHA256503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115
SHA512e3edb5700da4b86ee0ff0e5ba2aff9b2fc2b5107c449cef301c8a6117eaef68ef7b2778d20e7c03a80a44023638faf5a3f5a8536f09996bb1e88fef4ea641210
-
\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXEFilesize
797KB
MD536b62ba7d1b5e149a2c297f11e0417ee
SHA1ce1b828476274375e632542c4842a6b002955603
SHA2568353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
memory/300-69-0x00000000012C0000-0x00000000012D2000-memory.dmpFilesize
72KB
-
memory/300-147-0x0000000000B90000-0x0000000000BF4000-memory.dmpFilesize
400KB
-
memory/2168-15-0x00000000000D0000-0x00000000000E2000-memory.dmpFilesize
72KB
-
memory/2168-14-0x00000000743FE000-0x00000000743FF000-memory.dmpFilesize
4KB
-
memory/2472-17-0x00000000743F0000-0x0000000074ADE000-memory.dmpFilesize
6.9MB
-
memory/2472-16-0x0000000000DA0000-0x0000000000E6E000-memory.dmpFilesize
824KB
-
memory/2472-146-0x00000000743F0000-0x0000000074ADE000-memory.dmpFilesize
6.9MB