Malware Analysis Report

2024-10-10 13:02

Sample ID 240618-xf51gavamh
Target Solara.exe
SHA256 1ac539099498a1b248611e9a8c493486cafc55abf4360f7279a753ae9b6b3b40
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ac539099498a1b248611e9a8c493486cafc55abf4360f7279a753ae9b6b3b40

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:48

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:48

Reported

2024-06-18 18:51

Platform

win7-20240508-en

Max time kernel

129s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Users\All Users\audiodg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\sppsvc.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\0a1fd5f707cd16 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\b75386f1303e64 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Windows Journal\Templates\wininit.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Windows Journal\Templates\56085415360792 C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\System.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\27d1bcfc3c54e0 C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\All Users\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 2768 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 2768 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 2768 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 3052 wrote to memory of 1092 N/A C:\Containercomponentdriverdll\Msperfcrt.exe C:\Users\All Users\audiodg.exe
PID 3052 wrote to memory of 1092 N/A C:\Containercomponentdriverdll\Msperfcrt.exe C:\Users\All Users\audiodg.exe
PID 3052 wrote to memory of 1092 N/A C:\Containercomponentdriverdll\Msperfcrt.exe C:\Users\All Users\audiodg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Containercomponentdriverdll\KeujGBFUQImr.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat" "

C:\Containercomponentdriverdll\Msperfcrt.exe

"C:\Containercomponentdriverdll\Msperfcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Containercomponentdriverdll\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Containercomponentdriverdll\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Containercomponentdriverdll\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Containercomponentdriverdll\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Containercomponentdriverdll\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Containercomponentdriverdll\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f

C:\Users\All Users\audiodg.exe

"C:\Users\All Users\audiodg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996780.xsph.ru udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp

Files

C:\Containercomponentdriverdll\KeujGBFUQImr.vbe

MD5 ff6ec30615d52d4f5d785b686f0a4889
SHA1 02fea89ed16a0ab87def5cbb70cd00756e7d36a3
SHA256 960ef567e503ff1338e13194e0b3ffe34cca35ed7f7374f18095510743b748f1
SHA512 d29dd5eae96b13e4b2511651783d705703e0d4651273c9c11c177a2acb94b9c7a4863598d42f379b69cc67b6a7689d282f7231df2489d62566e0048a765c85fd

C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat

MD5 332b634fef3fab1c2ee04929179b93ba
SHA1 fdbaea891ecd43e10936281ef5f9d25081c074dc
SHA256 052c92ce3aa3301c1e51da420b61728ae6405c1e2a22365f44a9c9a4b8f2e779
SHA512 b650092623b219c7c957c3331ce62fbc1b5677aa0b9764766fe82be50a451c0f7875cdf35823b389440e7e3f0a788a6e53aaa5a48b095e94952a474a056c4abd

C:\Containercomponentdriverdll\Msperfcrt.exe

MD5 627d941e966fcb8c28d0ad7637d9c247
SHA1 0081828c3be966dc12d525d0e7ebb9ffbef30d07
SHA256 b9af4371cb17542d6c49f91230239d6cbb2889dfe625484d5a06b3faa98dcad8
SHA512 ed54f78e9c30c3648476c2712692ac78ee1f31680ebdfae6d0ad4baebaff9e171ebd6f3139ccc98543858e05498de27dfd51ed7fa380721bc460b40b7437a035

memory/3052-13-0x0000000000F90000-0x0000000001066000-memory.dmp

memory/1092-44-0x0000000000A00000-0x0000000000AD6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:48

Reported

2024-06-18 18:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Program Files\Google\Chrome\unsecapp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\en-US\fba371d7436272 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Google\Chrome\unsecapp.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Google\Chrome\29c1c3cc0f7685 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Windows Mail\Msperfcrt.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files\Windows Mail\fba371d7436272 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\Msperfcrt.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CbsTemp\dwm.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Windows\CbsTemp\6cb0b6c459d5d3 C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\unsecapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Containercomponentdriverdll\KeujGBFUQImr.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat" "

C:\Containercomponentdriverdll\Msperfcrt.exe

"C:\Containercomponentdriverdll\Msperfcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Containercomponentdriverdll\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Containercomponentdriverdll\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Containercomponentdriverdll\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsperfcrtM" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\Msperfcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Msperfcrt" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Msperfcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsperfcrtM" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\Msperfcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Containercomponentdriverdll\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Containercomponentdriverdll\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Containercomponentdriverdll\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsperfcrtM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Msperfcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Msperfcrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Msperfcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsperfcrtM" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Msperfcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /rl HIGHEST /f

C:\Program Files\Google\Chrome\unsecapp.exe

"C:\Program Files\Google\Chrome\unsecapp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996780.xsph.ru udp
US 8.8.8.8:53 a0996780.xsph.ru udp

Files

C:\Containercomponentdriverdll\KeujGBFUQImr.vbe

MD5 ff6ec30615d52d4f5d785b686f0a4889
SHA1 02fea89ed16a0ab87def5cbb70cd00756e7d36a3
SHA256 960ef567e503ff1338e13194e0b3ffe34cca35ed7f7374f18095510743b748f1
SHA512 d29dd5eae96b13e4b2511651783d705703e0d4651273c9c11c177a2acb94b9c7a4863598d42f379b69cc67b6a7689d282f7231df2489d62566e0048a765c85fd

C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat

MD5 332b634fef3fab1c2ee04929179b93ba
SHA1 fdbaea891ecd43e10936281ef5f9d25081c074dc
SHA256 052c92ce3aa3301c1e51da420b61728ae6405c1e2a22365f44a9c9a4b8f2e779
SHA512 b650092623b219c7c957c3331ce62fbc1b5677aa0b9764766fe82be50a451c0f7875cdf35823b389440e7e3f0a788a6e53aaa5a48b095e94952a474a056c4abd

C:\Containercomponentdriverdll\Msperfcrt.exe

MD5 627d941e966fcb8c28d0ad7637d9c247
SHA1 0081828c3be966dc12d525d0e7ebb9ffbef30d07
SHA256 b9af4371cb17542d6c49f91230239d6cbb2889dfe625484d5a06b3faa98dcad8
SHA512 ed54f78e9c30c3648476c2712692ac78ee1f31680ebdfae6d0ad4baebaff9e171ebd6f3139ccc98543858e05498de27dfd51ed7fa380721bc460b40b7437a035

memory/2340-12-0x00007FFFEFAE3000-0x00007FFFEFAE5000-memory.dmp

memory/2340-13-0x0000000000AF0000-0x0000000000BC6000-memory.dmp