Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security Blog
Tags
Common Information
Type | Value |
---|---|
UUID | 40b9470c-f0d7-413c-a678-16aefedc42f7 |
Fingerprint | e4210990447ff601 |
Analysis status | IN_PROGRESS |
Considered CTI value | 0 |
Text language | |
Published | Dec. 18, 2020, 2:15 p.m. |
Added to db | Sept. 26, 2022, 9:30 a.m. |
Last updated | Nov. 17, 2024, 6:56 p.m. |
Headline | Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers |
Title | Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security Blog |
Detected Hints/Tags/Attributes | 116/2/74 |
Source URLs
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 107 | aka.ms |
|
Details | Domain | 11 | api.solarwinds.com |
|
Details | Domain | 1 | 3mu76044hgf7shjf.appsync-api.eu-west-1.avsvmcloud.com |
|
Details | Domain | 1 | 3mu76044hgf7shjf.appsync-api.us-east-2.avsvmcloud.com |
|
Details | Domain | 1 | 3mu76044hgf7shjf.appsync-api.us-east-1.avsvmcloud.com |
|
Details | Domain | 2 | breached.contoso.com |
|
Details | Domain | 5 | task.name |
|
Details | Domain | 285 | microsoft.net |
|
Details | Domain | 8 | infinitysoftwares.com |
|
Details | Domain | 50 | avsvmcloud.com |
|
Details | File | 29 | orion.core |
|
Details | File | 26 | businesslayer.dll |
|
Details | File | 4 | orionimprovementbusinesslayer.ini |
|
Details | File | 13 | businesslayerhost.exe |
|
Details | File | 6 | groundling32.sys |
|
Details | File | 53 | adfind.exe |
|
Details | File | 409 | c:\windows\system32\cmd.exe |
|
Details | File | 165 | csrss.exe |
|
Details | File | 3 | mod1.log |
|
Details | File | 1 | definition.settings |
|
Details | File | 3 | folder.reg |
|
Details | File | 1 | c:\windows\softwaredistribution\eventcachemanager.exe |
|
Details | File | 1 | c:\windows\idmu\common\ypprop.dll |
|
Details | File | 127 | c:\windows\system32\rundll32.exe |
|
Details | File | 1208 | powershell.exe |
|
Details | File | 2125 | cmd.exe |
|
Details | File | 271 | chrome.exe |
|
Details | File | 128 | msedge.exe |
|
Details | File | 263 | iexplore.exe |
|
Details | File | 199 | firefox.exe |
|
Details | File | 73 | opera.exe |
|
Details | File | 15 | servicehost.exe |
|
Details | File | 81 | werfault.exe |
|
Details | File | 59 | csc.exe |
|
Details | File | 11 | b6031896.dll |
|
Details | sha1 | 3 | d130bd75645c2433f88ac03e73395fba172ef676 |
|
Details | sha1 | 3 | 1acf3108bf1e376c8848fbb25dc87424f2c2a39c |
|
Details | sha1 | 1 | e257236206e99f5a5c62035c9c59c57206728b28 |
|
Details | sha1 | 1 | 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b |
|
Details | sha1 | 4 | 2f1a5a7411d015d01aaee4535835400191645023 |
|
Details | sha1 | 1 | bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387 |
|
Details | sha1 | 1 | 16505d0b929d80ad1680f993c02954cfd3772207 |
|
Details | sha1 | 1 | d8938528d68aabe1e31df485eb3f75c8a925b5d9 |
|
Details | sha1 | 2 | 395da6d4f3c890295f7584132ea73d759bd9d094 |
|
Details | sha1 | 1 | c8b7f28230ea8fbf441c64fdd3feeba88607069e |
|
Details | sha1 | 1 | 2841391dfbffa02341333dd34f5298071730366a |
|
Details | sha1 | 1 | 2546b0e82aecfe987c318c7ad1d00f9fa11cd305 |
|
Details | sha1 | 1 | e2152737bed988c0939c900037890d1244d9a30e |
|
Details | sha256 | 10 | ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 |
|
Details | sha256 | 9 | dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b |
|
Details | sha256 | 8 | eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed |
|
Details | sha256 | 6 | ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c |
|
Details | sha256 | 13 | 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 |
|
Details | sha256 | 8 | c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 |
|
Details | sha256 | 4 | 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 |
|
Details | sha256 | 2 | e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d |
|
Details | sha256 | 3 | 20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 |
|
Details | sha256 | 2 | 2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d |
|
Details | sha256 | 2 | a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d |
|
Details | sha256 | 2 | 92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 |
|
Details | sha256 | 2 | a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 |
|
Details | sha256 | 2 | cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 |
|
Details | MITRE ATT&CK Techniques | 6 | T1195.001 |
|
Details | MITRE ATT&CK Techniques | 50 | T1072 |
|
Details | MITRE ATT&CK Techniques | 52 | T1071.004 |
|
Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
Details | MITRE ATT&CK Techniques | 25 | T1568.002 |
|
Details | MITRE ATT&CK Techniques | 18 | T1480.001 |
|
Details | MITRE ATT&CK Techniques | 298 | T1562.001 |
|
Details | Url | 8 | https://aka.ms/solorigate. |
|
Details | Url | 1 | https://3mu76044hgf7shjf.appsync-api.eu-west-1.avsvmcloud.com |
|
Details | Url | 1 | https://3mu76044hgf7shjf.appsync-api.us-east-2.avsvmcloud.com |
|
Details | Url | 1 | https://3mu76044hgf7shjf.appsync-api.us-east-1.avsvmcloud.com |
|
Details | Windows Registry Key | 8 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |