Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 19:05

General

  • Target

    Solara/SolaraBootstrapper.exe

  • Size

    1.9MB

  • MD5

    8911439914996ec2bd5ba4dc50ffd163

  • SHA1

    bed9b04aaab10cf740a5eb07f894c71f62ef88b2

  • SHA256

    40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41

  • SHA512

    c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93

  • SSDEEP

    24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
          "C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1004
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3332
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4416
              • C:\Windows\en-US\fontdrvhost.exe
                "C:\Windows\en-US\fontdrvhost.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:4396
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbs"
                  7⤵
                    PID:436
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbs"
                    7⤵
                      PID:4428
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • Modifies registry key
                PID:1860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1772
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2716
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2424

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat
            Filesize

            160B

            MD5

            aa1ca164a728084ffd5e22bcf41ef9fb

            SHA1

            a46fc620937abf7e82d6c97e728530549c74805f

            SHA256

            c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d

            SHA512

            71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

          • C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe
            Filesize

            226B

            MD5

            4defbf69b7ac7cd48d5d28019164fc15

            SHA1

            475d6ef458c0505261f6e058b84d602dd55a792a

            SHA256

            0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f

            SHA512

            6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

          • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
            Filesize

            1.6MB

            MD5

            c3d7d94a09a4a29ddc66ba84508d559f

            SHA1

            8bdcdd488649b311182622b7b07ea526bfd021c8

            SHA256

            dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c

            SHA512

            ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

          • C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbs
            Filesize

            708B

            MD5

            3e85d8f871cc9b054a968320ba4534b2

            SHA1

            15bd42cdd8ef9089e07f3172c95ee58b0f8f013e

            SHA256

            70efb8cb1f8dc8a41f0b62af4b1aa224fa1ffa444603a52a01e2026706d99df8

            SHA512

            9dfcd1c03883e395b4df952268b7e191c552c0fce09872ca635d7ddd1cbab82ee0d480b7228b05ada7c2e213b1bade082028e518db6d8a0991c183fe8714a954

          • C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbs
            Filesize

            484B

            MD5

            e58bbf8a443357deec120118e9012cda

            SHA1

            13ccf73017b1c75fb1c195e0eeb1c43a91b27755

            SHA256

            5a5fa79e436ef958414a57805b27386fbc1bff0408daa4ec5eb1c45ce8a9fd6a

            SHA512

            0d9300a67e8f0cf63067f82fd9524d98bbbdeb08ae7e7c4bfb603f05005fedcc5e16bc5d87618dbaf48c6b67af9a2f309c154ba063356acfefe537b91ab8fa1b

          • C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.bat
            Filesize

            197B

            MD5

            ca588823d919b2c368bbe0abd91b4d4c

            SHA1

            498ce3983860bdf5b7db789aabda875bb829a4e9

            SHA256

            463f9623efa5410bcc500deb60bc7bae514f71e0e204b6cf6ca98b227fb0d2bc

            SHA512

            11b29f7b6c82be653a1f74cfeb6205402ad2900ea4d0615f4b98ef4608bba728cdf8dadd44f39763eedc43bdde29d8f09a1ba3fdc8930f09add24dc959e85349

          • memory/1004-21-0x00000000027F0000-0x00000000027FA000-memory.dmp
            Filesize

            40KB

          • memory/1004-24-0x000000001BF80000-0x000000001C4A8000-memory.dmp
            Filesize

            5.2MB

          • memory/1004-17-0x0000000002720000-0x0000000002728000-memory.dmp
            Filesize

            32KB

          • memory/1004-18-0x0000000002730000-0x0000000002740000-memory.dmp
            Filesize

            64KB

          • memory/1004-19-0x00000000027D0000-0x00000000027D8000-memory.dmp
            Filesize

            32KB

          • memory/1004-20-0x00000000027E0000-0x00000000027F0000-memory.dmp
            Filesize

            64KB

          • memory/1004-15-0x0000000002700000-0x000000000271C000-memory.dmp
            Filesize

            112KB

          • memory/1004-22-0x0000000002800000-0x000000000280C000-memory.dmp
            Filesize

            48KB

          • memory/1004-23-0x0000000002810000-0x0000000002822000-memory.dmp
            Filesize

            72KB

          • memory/1004-16-0x0000000002820000-0x0000000002870000-memory.dmp
            Filesize

            320KB

          • memory/1004-25-0x0000000002890000-0x000000000289C000-memory.dmp
            Filesize

            48KB

          • memory/1004-26-0x00000000028A0000-0x00000000028AC000-memory.dmp
            Filesize

            48KB

          • memory/1004-28-0x000000001B3A0000-0x000000001B3AE000-memory.dmp
            Filesize

            56KB

          • memory/1004-27-0x00000000028B0000-0x00000000028BA000-memory.dmp
            Filesize

            40KB

          • memory/1004-29-0x000000001B3B0000-0x000000001B3B8000-memory.dmp
            Filesize

            32KB

          • memory/1004-14-0x00000000027B0000-0x00000000027BE000-memory.dmp
            Filesize

            56KB

          • memory/1004-12-0x00007FFD76643000-0x00007FFD76645000-memory.dmp
            Filesize

            8KB

          • memory/1004-13-0x00000000004F0000-0x0000000000692000-memory.dmp
            Filesize

            1.6MB

          • memory/4396-45-0x000000001B7F0000-0x000000001B802000-memory.dmp
            Filesize

            72KB

          • memory/4396-55-0x000000001C480000-0x000000001C4CB000-memory.dmp
            Filesize

            300KB