Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security Blog
Common Information
Type Value
UUID 40b9470c-f0d7-413c-a678-16aefedc42f7
Fingerprint e4210990447ff601
Analysis status IN_PROGRESS
Considered CTI value 0
Text language
Published Dec. 18, 2020, 2:15 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
Title Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security Blog
Detected Hints/Tags/Attributes 116/2/74
Attributes
Details Type #Events CTI Value
Details Domain 107
aka.ms
Details Domain 11
api.solarwinds.com
Details Domain 1
3mu76044hgf7shjf.appsync-api.eu-west-1.avsvmcloud.com
Details Domain 1
3mu76044hgf7shjf.appsync-api.us-east-2.avsvmcloud.com
Details Domain 1
3mu76044hgf7shjf.appsync-api.us-east-1.avsvmcloud.com
Details Domain 2
breached.contoso.com
Details Domain 5
task.name
Details Domain 285
microsoft.net
Details Domain 8
infinitysoftwares.com
Details Domain 50
avsvmcloud.com
Details File 29
orion.core
Details File 26
businesslayer.dll
Details File 4
orionimprovementbusinesslayer.ini
Details File 13
businesslayerhost.exe
Details File 6
groundling32.sys
Details File 53
adfind.exe
Details File 409
c:\windows\system32\cmd.exe
Details File 165
csrss.exe
Details File 3
mod1.log
Details File 1
definition.settings
Details File 3
folder.reg
Details File 1
c:\windows\softwaredistribution\eventcachemanager.exe
Details File 1
c:\windows\idmu\common\ypprop.dll
Details File 127
c:\windows\system32\rundll32.exe
Details File 1208
powershell.exe
Details File 2125
cmd.exe
Details File 271
chrome.exe
Details File 128
msedge.exe
Details File 263
iexplore.exe
Details File 199
firefox.exe
Details File 73
opera.exe
Details File 15
servicehost.exe
Details File 81
werfault.exe
Details File 59
csc.exe
Details File 11
b6031896.dll
Details sha1 3
d130bd75645c2433f88ac03e73395fba172ef676
Details sha1 3
1acf3108bf1e376c8848fbb25dc87424f2c2a39c
Details sha1 1
e257236206e99f5a5c62035c9c59c57206728b28
Details sha1 1
6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
Details sha1 4
2f1a5a7411d015d01aaee4535835400191645023
Details sha1 1
bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
Details sha1 1
16505d0b929d80ad1680f993c02954cfd3772207
Details sha1 1
d8938528d68aabe1e31df485eb3f75c8a925b5d9
Details sha1 2
395da6d4f3c890295f7584132ea73d759bd9d094
Details sha1 1
c8b7f28230ea8fbf441c64fdd3feeba88607069e
Details sha1 1
2841391dfbffa02341333dd34f5298071730366a
Details sha1 1
2546b0e82aecfe987c318c7ad1d00f9fa11cd305
Details sha1 1
e2152737bed988c0939c900037890d1244d9a30e
Details sha256 10
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
Details sha256 9
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
Details sha256 8
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
Details sha256 6
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
Details sha256 13
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
Details sha256 8
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
Details sha256 4
0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589
Details sha256 2
e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d
Details sha256 3
20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9
Details sha256 2
2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d
Details sha256 2
a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d
Details sha256 2
92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690
Details sha256 2
a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2
Details sha256 2
cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6
Details MITRE ATT&CK Techniques 6
T1195.001
Details MITRE ATT&CK Techniques 50
T1072
Details MITRE ATT&CK Techniques 52
T1071.004
Details MITRE ATT&CK Techniques 442
T1071.001
Details MITRE ATT&CK Techniques 25
T1568.002
Details MITRE ATT&CK Techniques 18
T1480.001
Details MITRE ATT&CK Techniques 298
T1562.001
Details Url 8
https://aka.ms/solorigate.
Details Url 1
https://3mu76044hgf7shjf.appsync-api.eu-west-1.avsvmcloud.com
Details Url 1
https://3mu76044hgf7shjf.appsync-api.us-east-2.avsvmcloud.com
Details Url 1
https://3mu76044hgf7shjf.appsync-api.us-east-1.avsvmcloud.com
Details Windows Registry Key 8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography