Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://s.symcd.com06 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://s2.symcb.com0 |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://solarwinds.s3.amazonaws.com/solarwinds/Release/MIB-Database/MIBs.zip |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://sv.symcd.com0& |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://thwackfeeds.solarwinds.com/blogs/orion-product-team-blog/rss.aspxT |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataRespo |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataT |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetLouserzed |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09L |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09T |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/documentation/kbloader.aspx?lang= |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.solarwinds.com/embedded_in_products/productLink.aspx?id=online_quote |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: 7zG.exe, 00000011.00000003.2058936691.000001EB86FD0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000014.00000003.2270733450.0000018309672000.00000004.00000020.00020000.00000000.sdmp, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: https://www.solarwinds.com/documentation/kbloader.aspx?lang= |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
String found in binary or memory: https://www.solarwinds.com/embedded_in_products/productLink.aspx?id=online_quote |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.) Author: Arnim Rupp |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. Author: FireEye |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: twinui.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: pdh.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: actxprxy.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windows.ui.appdefaults.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windows.ui.immersive.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: uiautomationcore.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: bcp47mrm.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: uianimation.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windows.ui.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windowmanagementapi.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: inputhost.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: thumbcache.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: directmanipulation.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: ninput.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\OpenWith.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: mrmcorer.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: efswrt.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: APT_fnv1a_plus_extra_XOR_in_MSIL_experimental date = 2020-12-22, hash3 = 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, hash2 = ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, hash1 = 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, author = Arnim Rupp, description = This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.), reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_1 author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: C:\Users\user\Desktop\WinX.SUNBURST\WinX.SUNBURST\ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, type: DROPPED |
Matched rule: APT_Backdoor_SUNBURST_2 author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr |
Binary or memory string: SELECT AccountID, DisplayName FROM Orion.Accounts (nolock=true) WHERE ;TriggeringObjectEntityUri = ' |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: Select COUNT(*) from Tree WHERE Primary = -1 AND ParentOID=@oid; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: SELECT * INTO #Nodes FROM Nodes WHERE 1=1; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: UPDATE [NodesData] SET {0} WHERE NodeID=@node; UPDATE [NodesStatistics] SET {1} WHERE NodeID=@node;[UPDATE [NodesData] SET {0} WHERE NodeID=@nodegUPDATE [NodesStatistics] SET {0} WHERE NodeID=@nodeeDELETE FROM ShadowNodes WHERE IPAddress=@IPAddress |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: SELECT [ArgsKey], [ArgsValue] FROM [dbo].[AuditingArguments] WITH(NOLOCK) WHERE [AuditEventID] = @AuditEventID; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: Select DISTINCT Name, OID, Index from Tree WHERE Primary = -1 AND ParentOID=@parentOid order by index; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: SELECT Nodes.* INTO #Nodes FROM Nodes WHERE 1=1; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: Select TOP 1 {0} from Tree WHERE Primary = -1 AND OID=@Oid AND Description <> 'unknown'; |
Source: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134.exe.17.dr, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6.17.dr, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.exe.17.dr |
Binary or memory string: SELECT TOP 1 [AccountID], [ActionTypeID] FROM [dbo].[AuditingEvents] WITH(NOLOCK) WHERE [AuditEventID] = @AuditEventID; |