Windows Analysis Report
WinX.SUNBURST.zip

Overview

General Information

Sample name: WinX.SUNBURST.zip
Analysis ID: 1411157
MD5: 31b50e5fbf4b123b6f32fc28edd0ba86
SHA1: 47b55dc480268e654ad0c7519f85fc53d06d87e2
SHA256: 8127165190392dcd41a6f55fe81e0494aaf04b717cde9f135199c2cafa170828
Infos:

Detection

SUNBURST
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected SUNBURST
Drops password protected ZIP file
Machine Learning detection for dropped file
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SUNBURST FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.
  • APT 29
  • UNC2452
 https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe Avira: detection malicious, Label: TR/Sunburst.AH
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Avira: detection malicious, Label: TR/Sunburst.A
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe Avira: detection malicious, Label: TR/Sunburst.AO
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 ReversingLabs: Detection: 82%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe Joe Sandbox ML: detected
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb source: notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb|a source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://s.symcd.com06
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://s2.symcb.com0
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://solarwinds.s3.amazonaws.com/solarwinds/Release/MIB-Database/MIBs.zip
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://sv.symcd.com0&
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://thwackfeeds.solarwinds.com/blogs/orion-product-team-blog/rss.aspxT
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataRespo
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataT
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetLouserzed
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09L
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09T
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/documentation/kbloader.aspx?lang=
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.solarwinds.com/embedded_in_products/productLink.aspx?id=online_quote
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: https://www.solarwinds.com/documentation/kbloader.aspx?lang=
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr String found in binary or memory: https://www.solarwinds.com/embedded_in_products/productLink.aspx?id=online_quote

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye
Drops password protected ZIP file
Source: WinX.SUNBURST.zip.12.dr Zip Entry: encrypted
Source: WinX.SUNBURST.zip.12.dr Zip Entry: encrypted
Source: WinX.SUNBURST.zip.12.dr Zip Entry: encrypted
Tries to load missing DLLs
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: efswrt.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: msvcp110_win.dll Jump to behavior
Yara signature match
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
Source: classification engine Classification label: mal80.troj.winZIP@6/4@0/0
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\WinX.SUNBURST Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr Binary or memory string: SELECT AccountID, DisplayName FROM Orion.Accounts (nolock=true) WHERE ;TriggeringObjectEntityUri = '
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: Select COUNT(*) from Tree WHERE Primary = -1 AND ParentOID=@oid;
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: SELECT * INTO #Nodes FROM Nodes WHERE 1=1;
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: UPDATE [NodesData] SET {0} WHERE NodeID=@node; UPDATE [NodesStatistics] SET {1} WHERE NodeID=@node;[UPDATE [NodesData] SET {0} WHERE NodeID=@nodegUPDATE [NodesStatistics] SET {0} WHERE NodeID=@nodeeDELETE FROM ShadowNodes WHERE IPAddress=@IPAddress
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: SELECT [ArgsKey], [ArgsValue] FROM [dbo].[AuditingArguments] WITH(NOLOCK) WHERE [AuditEventID] = @AuditEventID;
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: Select DISTINCT Name, OID, Index from Tree WHERE Primary = -1 AND ParentOID=@parentOid order by index;
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: SELECT Nodes.* INTO #Nodes FROM Nodes WHERE 1=1;
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: Select TOP 1 {0} from Tree WHERE Primary = -1 AND OID=@Oid AND Description <> 'unknown';
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: SELECT TOP 1 [AccountID], [ActionTypeID] FROM [dbo].[AuditingEvents] WITH(NOLOCK) WHERE [AuditEventID] = @AuditEventID;
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\WinX.SUNBURST\" -ad -an -ai#7zMap1138:82:7zEvent30935
Source: unknown Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\" -spe -an -ai#7zMap5700:110:7zEvent13992
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\7-Zip\7zG.exe Window detected: Number of UI elements: 15
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb source: notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr
Source: Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb|a source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr
Drops PE files
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\OpenWith.exe TID: 7104 Thread sleep count: 63 > 30 Jump to behavior
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: SNMPPort#VMwareProductName)VMwareProductVersion
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: GetAllVMwareServiceURIs
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: for VMWare ESX
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: vmwareCredentialsID
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: GetVMwareCredential
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: ActionTypeIDYSending request for BlogItemDAL.GetBlogById.QError obtaining blog notification item: SSending request for BlogItemDAL.GetItems.]Error when obtaining blog notification items: sSending request for CoreHelper.CheckOrionProductTeamBlog.]Error forcing blog notification items update: eSending request for BlogItemDAL.GetBlogItemForPos.cError obtaining blog notification item for post: /GetAllVMwareServiceURIs'GetVMwareCredential-InsertUpdateVMHostNode
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr Binary or memory string: get_VMwareESXJobTimeout
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected SUNBURST
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED

Remote Access Functionality
barindex
Yara detected SUNBURST
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1411157 Sample: WinX.SUNBURST.zip Startdate: 18/03/2024 Architecture: WINDOWS Score: 80 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus detection for dropped file 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 3 other signatures 2->29 6 7zG.exe 4 2->6         started        9 OpenWith.exe 19 6 2->9         started        11 7zG.exe 1 2 2->11         started        13 rundll32.exe 2->13         started        process3 file4 17 ce77d116a074dab7a2...d3c0b0aa8211fe858d6, PE32 6->17 dropped 19 32519b85c0b422e465...15ee59c107d6c77.exe, PE32 6->19 dropped 21 019085a76ba7126fff...27984e89f4b0134.exe, PE32 6->21 dropped 15 notepad.exe 9 9->15         started        process5
No contacted IP infos