Analysis
-
max time kernel
92s -
max time network
191s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/06/2024, 23:49
Static task
static1
Behavioral task
behavioral1
Sample
TheBestSolarafixer.bat
Resource
win10v2004-20240611-en
windows10-2004-x64
16 signatures
300 seconds
Behavioral task
behavioral2
Sample
TheBestSolarafixer.bat
Resource
win11-20240508-en
windows11-21h2-x64
7 signatures
300 seconds
General
-
Target
TheBestSolarafixer.bat
-
Size
133B
-
MD5
9b12b6d3946df1e0dc933af1a554f71f
-
SHA1
120aa2a6cfd106482ab65b2791fef2a7106ebb70
-
SHA256
28a28ea694decd19f7c4b69e4a8319222e304c16d9b2e8275c6a217ede1e3066
-
SHA512
6c812f5b9ca1a2cba133b69c42162b55bb16f91a7e3ad7cc16ac73123e51aa8cc1f786ad939d5f2c88cab704f5102973d469310febe5714ed45395a67f50a3c1
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\drivers\nsiproxy.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\VerifierExt.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\sdstor.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\netio.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\SerCx2.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\tbs.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\WUDFRd.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\dfsc.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\nvmedisk.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\kbldfltr.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\storufs.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\UMDF\en-US\idtsec.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\umpass.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\wof.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\amdppm.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\EhStorTcgDrv.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\SpatialGraphFilter.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\UMDF\SDFLauncher.dll cmd.exe File opened for modification \??\c:\windows\system32\drivers\KNetPwrDepBroker.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\rfcomm.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\processr.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\amdk8.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\ndis.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\ws2ifsl.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\hwpolicy.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\ipt.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\rspndr.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\UcmUcsiAcpiClient.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\ClipSp.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\ataport.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\scmbus.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\serenum.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\tdx.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\kmpdc.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\mspclock.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\USBHUB3.SYS.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\wfplwfs.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\agilevpn.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\tunnel.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\wfplwfs.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\rootmdm.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\WpdUpFltr.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\filecrypt.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\HidSpiCx.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\volume.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\winhvr.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\Dumpata.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\rdbss.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\tsusbflt.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\vmbus.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\acpipmi.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\dmvsc.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\vhdmp.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\wudfpf.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\ksecdd.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\ndproxy.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\usbser.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\kbdclass.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\en-US\PktMon.sys.mui cmd.exe File opened for modification \??\c:\windows\system32\drivers\IndirectKmd.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\refsv1.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\bridge.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\gpuenergydrv.sys cmd.exe File opened for modification \??\c:\windows\system32\drivers\mcd.sys cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe File opened for modification \??\c:\windows\system32\wintrust.dll cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4104 takeown.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\wbem\umpnpmgr.mof cmd.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\PS_DnsClientNrptPolicy_v1.0.0.cdxml cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\en-US\RDCameraDriver.inf_loc cmd.exe File opened for modification \??\c:\windows\system32\en-US\dssec.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\en-US\sens.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\en-US\werui.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\F12\F12Platform2.dll cmd.exe File opened for modification \??\c:\windows\system32\oobe\msoobedui.dll cmd.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineUi.xsd cmd.exe File opened for modification \??\c:\windows\system32\Windows.UI.Immersive.dll cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\en-US\display.inf_loc cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\NETJME.sys cmd.exe File opened for modification \??\c:\windows\system32\mssip32.dll cmd.exe File opened for modification \??\c:\windows\system32\TSTheme.exe cmd.exe File opened for modification \??\c:\windows\system32\usosvc.dll cmd.exe File opened for modification \??\c:\windows\system32\Windows.Media.Renewal.dll cmd.exe File opened for modification \??\c:\windows\system32\en-US\Windows.Globalization.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\hu-HU\windows.ui.xaml.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\AtBroker.exe cmd.exe File opened for modification \??\c:\windows\system32\chglogon.exe cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\en-US\c_tapedrive.inf_loc cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\FileRepository\NET818~1.INF\RTL8187Se.sys cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\FileRepository\NETATH~2.INF\eeprom_qca9377_1p1_NFA425_olpc_A_BC_CBXA0.bin cmd.exe File opened for modification \??\c:\windows\system32\en-US\asferror.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\mapi32.dll cmd.exe File opened for modification \??\c:\windows\system32\TaskSchdPS.dll cmd.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\MSFT_RegistryResource.schema.mof cmd.exe File opened for modification \??\c:\windows\system32\en-US\consent.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\EnterpriseAppVMgmtCSP.dll cmd.exe File opened for modification \??\c:\windows\system32\wci.dll cmd.exe File opened for modification \??\c:\windows\system32\en-US\MusNotificationUx.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\Hydrogen\BAKEDP~1\ANIMAT~1\preseteasecurveinoutsine.hbakedcurve cmd.exe File opened for modification \??\c:\windows\system32\spool\tools\en-US\PrintBrmEngine.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\tr-TR\fms.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\tr-TR\quickassist.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\en-US\wsepno.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\sl-SI\msimsg.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\Bthprops\@BthpropsNotificationLogo.png cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\RTL8187B.sys cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\FileRepository\usbaudio2.inf_amd64_0dec4f8ed01fa7ee\usbaudio2.sys cmd.exe File opened for modification \??\c:\windows\system32\en-US\CompatTelRunner.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\en-US\mispace.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\en-US\workfolderssvc.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\winevt\Logs\MIEBFF~1.EVT cmd.exe File opened for modification \??\c:\windows\system32\pcacli.dll cmd.exe File opened for modification \??\c:\windows\system32\wbem\dnsclientpsprovider_Uninstall.mof cmd.exe File opened for modification \??\c:\windows\system32\avrt.dll cmd.exe File opened for modification \??\c:\windows\system32\conhost.exe cmd.exe File opened for modification \??\c:\windows\system32\DriverStore\en-US\nete1g3e.inf_loc cmd.exe File opened for modification \??\c:\windows\system32\en-US\mssrch.dll.mui cmd.exe File opened for modification \??\c:\windows\system32\he-IL\WWAHost.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\msiwer.dll cmd.exe File opened for modification \??\c:\windows\system32\wbem\KrnlProv.dll cmd.exe File opened for modification \??\c:\windows\system32\coreaudiopolicymanagerext.dll cmd.exe File opened for modification \??\c:\windows\system32\en-US\sysreseterr.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\ieuinit.inf cmd.exe File opened for modification \??\c:\windows\system32\powercpl.dll cmd.exe File opened for modification \??\c:\windows\system32\PrintIsolationHost.exe cmd.exe File opened for modification \??\c:\windows\system32\DeviceCensus.exe cmd.exe File opened for modification \??\c:\windows\system32\en-US\vssadmin.exe.mui cmd.exe File opened for modification \??\c:\windows\system32\FXST30.dll cmd.exe File opened for modification \??\c:\windows\system32\recovery.dll cmd.exe File opened for modification \??\c:\windows\system32\spp\tokens\skus\ENTERP~1\Enterprise-OEM-NONSLP-1-ul-store-rtm.xrm-ms cmd.exe File opened for modification \??\c:\windows\system32\wbem\en-US\wmipdfs.mfl cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
description ioc Process File opened for modification \??\c:\windows\system32\termsrv.dll cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4104 takeown.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 408 wrote to memory of 4104 408 cmd.exe 78 PID 408 wrote to memory of 4104 408 cmd.exe 78 PID 408 wrote to memory of 228 408 cmd.exe 79 PID 408 wrote to memory of 228 408 cmd.exe 79
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheBestSolarafixer.bat"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Modifies termsrv.dll
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32 /a /r /d y2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\system32\cacls.execacls c:\windows\system322⤵PID:228
-