dcrat | e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe
Size

1.5MB
MD5

e21e16be3e5d762e1e33bec36aa482be
SHA1

641e7bcd3881bae636d8100e7c0db08bfb73b912
SHA256

e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081
SHA512

3cdde9af8e73709a1727941780967599e153cf6e1a13a16baa6a9720bb40a16c7c776a402f347c60290e81f2d9bedd7480a4841b5cc1b8c46b7de09cca96624a
SSDEEP

24576:VJ/w6JHKyfE6Ve1uZv0YNeNijhBCjNUsdUmC5X75Ve3Sws1Ek1XCo2:7HVEKe1uZsUeghojNUsdDC5X7ncSzEk0

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x003200000001566d-11.dat	dcrat
behavioral1/files/0x0007000000015ceb-50.dat	dcrat
behavioral1/memory/1292-54-0x0000000000230000-0x00000000003A8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1248	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2704	SolaraBootstrapper.exe
2564	Roblox.exe
1292	BrowserNet.exe

Loads dropped DLL 10 IoCs

pid	Process
1944	cmd.exe
1944	cmd.exe
1744	MsiExec.exe
1744	MsiExec.exe
1356	MsiExec.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	1032	msiexec.exe
12	1032	msiexec.exe
14	1032	msiexec.exe
16	1032	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76a9b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a9b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE80.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
908	2704	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SolaraBootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SolaraBootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SolaraBootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SolaraBootstrapper.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2704	SolaraBootstrapper.exe
2704	SolaraBootstrapper.exe
1248	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1292	BrowserNet.exe
Token: SeShutdownPrivilege	2956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	2956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2956	msiexec.exe
Token: SeLockMemoryPrivilege	2956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2956	msiexec.exe
Token: SeMachineAccountPrivilege	2956	msiexec.exe
Token: SeTcbPrivilege	2956	msiexec.exe
Token: SeSecurityPrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeLoadDriverPrivilege	2956	msiexec.exe
Token: SeSystemProfilePrivilege	2956	msiexec.exe
Token: SeSystemtimePrivilege	2956	msiexec.exe
Token: SeProfSingleProcessPrivilege	2956	msiexec.exe
Token: SeIncBasePriorityPrivilege	2956	msiexec.exe
Token: SeCreatePagefilePrivilege	2956	msiexec.exe
Token: SeCreatePermanentPrivilege	2956	msiexec.exe
Token: SeBackupPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeShutdownPrivilege	2956	msiexec.exe
Token: SeDebugPrivilege	2956	msiexec.exe
Token: SeAuditPrivilege	2956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2956	msiexec.exe
Token: SeChangeNotifyPrivilege	2956	msiexec.exe
Token: SeRemoteShutdownPrivilege	2956	msiexec.exe
Token: SeUndockPrivilege	2956	msiexec.exe
Token: SeSyncAgentPrivilege	2956	msiexec.exe
Token: SeEnableDelegationPrivilege	2956	msiexec.exe
Token: SeManageVolumePrivilege	2956	msiexec.exe
Token: SeImpersonatePrivilege	2956	msiexec.exe
Token: SeCreateGlobalPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2704	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	30
PID 2668 wrote to memory of 2704	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	30
PID 2668 wrote to memory of 2704	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	30
PID 2668 wrote to memory of 2704	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	30
PID 2668 wrote to memory of 2564	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	32
PID 2668 wrote to memory of 2564	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	32
PID 2668 wrote to memory of 2564	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	32
PID 2668 wrote to memory of 2564	2668	e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe	32
PID 2564 wrote to memory of 2612	2564	Roblox.exe	33
PID 2564 wrote to memory of 2612	2564	Roblox.exe	33
PID 2564 wrote to memory of 2612	2564	Roblox.exe	33
PID 2564 wrote to memory of 2612	2564	Roblox.exe	33
PID 2564 wrote to memory of 3000	2564	Roblox.exe	34
PID 2564 wrote to memory of 3000	2564	Roblox.exe	34
PID 2564 wrote to memory of 3000	2564	Roblox.exe	34
PID 2564 wrote to memory of 3000	2564	Roblox.exe	34
PID 3000 wrote to memory of 1248	3000	cmd.exe	36
PID 3000 wrote to memory of 1248	3000	cmd.exe	36
PID 3000 wrote to memory of 1248	3000	cmd.exe	36
PID 3000 wrote to memory of 1248	3000	cmd.exe	36
PID 2612 wrote to memory of 1944	2612	WScript.exe	37
PID 2612 wrote to memory of 1944	2612	WScript.exe	37
PID 2612 wrote to memory of 1944	2612	WScript.exe	37
PID 2612 wrote to memory of 1944	2612	WScript.exe	37
PID 1944 wrote to memory of 1292	1944	cmd.exe	39
PID 1944 wrote to memory of 1292	1944	cmd.exe	39
PID 1944 wrote to memory of 1292	1944	cmd.exe	39
PID 1944 wrote to memory of 1292	1944	cmd.exe	39
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 2704 wrote to memory of 2956	2704	SolaraBootstrapper.exe	41
PID 1032 wrote to memory of 1744	1032	msiexec.exe	43
PID 1032 wrote to memory of 1744	1032	msiexec.exe	43
PID 1032 wrote to memory of 1744	1032	msiexec.exe	43
PID 1032 wrote to memory of 1744	1032	msiexec.exe	43
PID 1032 wrote to memory of 1744	1032	msiexec.exe	43
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 1032 wrote to memory of 1356	1032	msiexec.exe	44
PID 2704 wrote to memory of 908	2704	SolaraBootstrapper.exe	45
PID 2704 wrote to memory of 908	2704	SolaraBootstrapper.exe	45
PID 2704 wrote to memory of 908	2704	SolaraBootstrapper.exe	45
PID 2704 wrote to memory of 908	2704	SolaraBootstrapper.exe	45

C:\Users\Admin\AppData\Local\Temp\e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe
"C:\Users\Admin\AppData\Local\Temp\e113d1eb93a1bb51fcd6f67df606da197e897c7eb7ff65d2038a836122451081.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1556
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:908
- C:\Users\Admin\AppData\Local\Temp\Roblox.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\winsession\7NpMZdMLVTgEeGgpoeASbF.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\winsession\DT2xNg1uN5P.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\winsession\BrowserNet.exe
        
        "C:\winsession\BrowserNet.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\winsession\pNoS5ArX7zJHxpb4Rmc.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 962918C05915D7A4A074B65EE98E1A71
  2⤵
  - Loads dropped DLL
  PID:1744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E91B86A7ADA4274924D0F820DB271CF4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74596d2d5cd8f58a7ec56c3916458a37

SHA1
33616d6dbaf36ac58da8fc3254f7a0c4ca070612

SHA256
5e82e17dae9ddb2ad7f3c2955bf366742fca6f7f91b1e2cfc285890301e1d3fd

SHA512
b64ff7d83d2507792002c77cf2607bc12b107054d52ae842c31e945c6bc58cbb5313475901758a2695376bfbd5d29ffa2a640e4464e6c6c526d2f83b091d6b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84BC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox.exe

Filesize
1.7MB

MD5
f88a01f990fae0ccaa4079c5503549f2

SHA1
061df4b0d2106f5d9afb23d144968767bc48d58b

SHA256
1bea857314b803ccf9f1ee002563dac80fa7b12aa2297d2759dd31ab5dc1f4a7

SHA512
8a53c27e6cbd7d115fad84df6f2f67397fe7295b36ce575a05b8a8d2019d529808413b267eff82993182ce9ced58fd60253c4e41ccc0bad1bb7fa43edf5176de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
797KB

MD5
36b62ba7d1b5e149a2c297f11e0417ee

SHA1
ce1b828476274375e632542c4842a6b002955603

SHA256
8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

SHA512
fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84DE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSIAE30.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\winsession\7NpMZdMLVTgEeGgpoeASbF.vbe

Filesize
198B

MD5
cdc97ee7d39aeff8453ce88a9893f23b

SHA1
c170f922a15bd78757c233b321591162d0e0e0a9

SHA256
ece953e10a172bf06a1ea731bdf6c22b17a6cea5ba5f58a7f634aaf4e8e8e76c

SHA512
1d818f569410e89accbd7dda423ad551174b0507f0eabb42656d3f19d217cf8d96a51ce6a412431a7243f7c8cf98b1185b8553c0389da79c83114a3e1d665f7d

Download Submit
C:\winsession\DT2xNg1uN5P.bat

Filesize
30B

MD5
3fe05fce6204234889d0dc84f59c55b1

SHA1
d630e04286635e6ab958815f4245ac570bbc1102

SHA256
8f945fed6d32812257e3ca8799eb6afea32e9d7493040f87bb846ee820f4507b

SHA512
965f9669f89abbdf0ed0346b9e759905048bae4b2251f585808891d0a6710f04f3cdee725bdba1c8b660b3650674ae5a477caaaab98999b99319ffeedf34a4aa

Download Submit
C:\winsession\pNoS5ArX7zJHxpb4Rmc.bat

Filesize
61B

MD5
59f5854a70cc84252a9faf535b60d39a

SHA1
facc9ebf104c46dffa0bbb77be9d0effa2bf0723

SHA256
a8a1e369c05be96e00645723d70e2a750f7af2f053df03d7689f69991fdb61e8

SHA512
2689dfe6cf2a768bb3d519f34bcf04b594da0865e273ebd88b1535fecf3c27fd7d38dd047e8577d1b59fac5ffbf1e714ed6808e7073e0cf2663ce616bc9e4b76

Download Submit
\Windows\Installer\MSIAE80.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\winsession\BrowserNet.exe

Filesize
1.4MB

MD5
14246d61e6d6ba95bbc6ad9d6c7f5316

SHA1
c11844f5c2a686dff0fb1f9bac7d289ed79a782d

SHA256
ceedc8e76d9e61f7701c65f47627d76db67f50948d355bdac93cf3d479af6f04

SHA512
005613ff1cae6694d915ed64235386449fa6b072ab7880756bb9a02a61c2298aeaacc368e07bde44d2858023525d22a7b26decd6e50be48675054047ac5bfdcf

Download Submit
memory/1292-54-0x0000000000230000-0x00000000003A8000-memory.dmp

Filesize
1.5MB

Download
memory/1292-55-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2668-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2668-13-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-1-0x00000000012F0000-0x0000000001476000-memory.dmp

Filesize
1.5MB

Download
memory/2704-38-0x0000000000BC0000-0x0000000000C8E000-memory.dmp

Filesize
824KB

Download