Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
Resource
win10v2004-20240508-en
General
-
Target
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
-
Size
959KB
-
MD5
4d580c12dd002c7e9d0672cf7c0fef59
-
SHA1
b46c4eaeea368c01f3b6e89a7749dcb9719fcf11
-
SHA256
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc
-
SHA512
6a517c05bf3b3df6d66fbe026044456bc5ec9f643757a53705a869588c505fbb837fc763134b71bea390ca8f01f8b5fdda391ed5eb07829dcd8249027a6f99f0
-
SSDEEP
24576:7IY/8GC9t2/zdHKXMXvE/s5ZVKBdd0aZ7+B:7IQRllfE/oYh+B
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2824 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\trx.exe dcrat \MSCONFIG\CONFIG.exe dcrat behavioral1/memory/2628-35-0x0000000000E90000-0x0000000000FBE000-memory.dmp dcrat behavioral1/memory/2916-58-0x00000000003A0000-0x00000000004CE000-memory.dmp dcrat -
Detects executables containing URLs to raw contents of a Github gist 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2164-16-0x00000000012E0000-0x00000000012EA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2628-40-0x0000000000B40000-0x0000000000B4C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 4 IoCs
Processes:
SolaraBootstrapper.exetrx.exeCONFIG.execsrss.exepid process 2164 SolaraBootstrapper.exe 2924 trx.exe 2628 CONFIG.exe 2916 csrss.exe -
Loads dropped DLL 7 IoCs
Processes:
WerFault.execmd.exepid process 2880 WerFault.exe 2880 WerFault.exe 2880 WerFault.exe 2880 WerFault.exe 2880 WerFault.exe 2524 cmd.exe 2524 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 6 IoCs
Processes:
CONFIG.exedescription ioc process File created C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e CONFIG.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe CONFIG.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\886983d96e3d3e CONFIG.exe File created C:\Program Files\Windows Sidebar\taskhost.exe CONFIG.exe File created C:\Program Files\Windows Sidebar\b75386f1303e64 CONFIG.exe File created C:\Program Files\Java\jre7\bin\plugin2\csrss.exe CONFIG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2880 2164 WerFault.exe SolaraBootstrapper.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 896 schtasks.exe 1904 schtasks.exe 1648 schtasks.exe 536 schtasks.exe 2212 schtasks.exe 2232 schtasks.exe 324 schtasks.exe 2756 schtasks.exe 844 schtasks.exe 1200 schtasks.exe 1156 schtasks.exe 1100 schtasks.exe 1724 schtasks.exe 108 schtasks.exe 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
CONFIG.execsrss.exepid process 2628 CONFIG.exe 2628 CONFIG.exe 2628 CONFIG.exe 2916 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SolaraBootstrapper.exeCONFIG.execsrss.exedescription pid process Token: SeDebugPrivilege 2164 SolaraBootstrapper.exe Token: SeDebugPrivilege 2628 CONFIG.exe Token: SeDebugPrivilege 2916 csrss.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exetrx.exeSolaraBootstrapper.exeWScript.execmd.exeCONFIG.exedescription pid process target process PID 1284 wrote to memory of 2164 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1284 wrote to memory of 2164 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1284 wrote to memory of 2164 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1284 wrote to memory of 2164 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1284 wrote to memory of 2924 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1284 wrote to memory of 2924 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1284 wrote to memory of 2924 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1284 wrote to memory of 2924 1284 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 2924 wrote to memory of 2940 2924 trx.exe WScript.exe PID 2924 wrote to memory of 2940 2924 trx.exe WScript.exe PID 2924 wrote to memory of 2940 2924 trx.exe WScript.exe PID 2924 wrote to memory of 2940 2924 trx.exe WScript.exe PID 2164 wrote to memory of 2880 2164 SolaraBootstrapper.exe WerFault.exe PID 2164 wrote to memory of 2880 2164 SolaraBootstrapper.exe WerFault.exe PID 2164 wrote to memory of 2880 2164 SolaraBootstrapper.exe WerFault.exe PID 2164 wrote to memory of 2880 2164 SolaraBootstrapper.exe WerFault.exe PID 2940 wrote to memory of 2524 2940 WScript.exe cmd.exe PID 2940 wrote to memory of 2524 2940 WScript.exe cmd.exe PID 2940 wrote to memory of 2524 2940 WScript.exe cmd.exe PID 2940 wrote to memory of 2524 2940 WScript.exe cmd.exe PID 2524 wrote to memory of 2628 2524 cmd.exe CONFIG.exe PID 2524 wrote to memory of 2628 2524 cmd.exe CONFIG.exe PID 2524 wrote to memory of 2628 2524 cmd.exe CONFIG.exe PID 2524 wrote to memory of 2628 2524 cmd.exe CONFIG.exe PID 2628 wrote to memory of 2916 2628 CONFIG.exe csrss.exe PID 2628 wrote to memory of 2916 2628 CONFIG.exe csrss.exe PID 2628 wrote to memory of 2916 2628 CONFIG.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 10923⤵
- Loads dropped DLL
- Program crash
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\trx.exe"C:\Users\Admin\AppData\Local\Temp\trx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\MSCONFIG\CONFIG.exe"C:\MSCONFIG\CONFIG.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files\Java\jre7\bin\plugin2\csrss.exe"C:\Program Files\Java\jre7\bin\plugin2\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSCONFIG\0h6cj87wvPM.vbeFilesize
208B
MD5c82cc3c85bd84d0af9e997e0a4959cdd
SHA18ff246be20905b44b77082729819917245547013
SHA25653db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d
SHA51209c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9
-
C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.batFilesize
24B
MD58ec84d1942903da3492f14e534a8e841
SHA1b152ff7373eac0aaef9c17637bde6cc754fe257a
SHA256a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d
SHA512bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exeFilesize
12KB
MD574494703e5f44eeb9aa037f0f50bf682
SHA1fcfd8813e63cd61c5bfd2db605827fb9070fe8e9
SHA2563e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66
SHA512dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe
-
C:\Users\Admin\AppData\Local\Temp\trx.exeFilesize
1.5MB
MD503cde07f808c1c15f2b413e89a45b9d8
SHA12e4f97f7f28024db39758472d484484dc3030c0b
SHA256daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f
SHA512d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18
-
\MSCONFIG\CONFIG.exeFilesize
1.1MB
MD55e14719cd7fbb360095ace17828a75b3
SHA172cd087ba89bef7546a5657b352b61f2ea31f492
SHA256095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561
SHA51220bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27
-
memory/1284-1-0x000000013FF80000-0x0000000140074000-memory.dmpFilesize
976KB
-
memory/1284-13-0x000007FEF5800000-0x000007FEF61EC000-memory.dmpFilesize
9.9MB
-
memory/1284-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmpFilesize
4KB
-
memory/2164-61-0x000000007452E000-0x000000007452F000-memory.dmpFilesize
4KB
-
memory/2164-14-0x000000007452E000-0x000000007452F000-memory.dmpFilesize
4KB
-
memory/2164-16-0x00000000012E0000-0x00000000012EA000-memory.dmpFilesize
40KB
-
memory/2628-35-0x0000000000E90000-0x0000000000FBE000-memory.dmpFilesize
1.2MB
-
memory/2628-37-0x0000000000B10000-0x0000000000B1C000-memory.dmpFilesize
48KB
-
memory/2628-38-0x0000000000460000-0x0000000000468000-memory.dmpFilesize
32KB
-
memory/2628-39-0x0000000000B00000-0x0000000000B12000-memory.dmpFilesize
72KB
-
memory/2628-40-0x0000000000B40000-0x0000000000B4C000-memory.dmpFilesize
48KB
-
memory/2628-41-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/2628-36-0x00000000003D0000-0x00000000003E2000-memory.dmpFilesize
72KB
-
memory/2916-58-0x00000000003A0000-0x00000000004CE000-memory.dmpFilesize
1.2MB
-
memory/2916-59-0x00000000005E0000-0x00000000005F2000-memory.dmpFilesize
72KB
-
memory/2916-60-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB