General
-
Target
solarainstall_protected.sfx.exe
-
Size
2.2MB
-
Sample
240712-xj8krswckp
-
MD5
2e78f45ee035005c4ce1d58d9535699c
-
SHA1
f47d6b17eb086f6d0981239024c36c3c42797cf6
-
SHA256
1ecc88c3383a10354a21e49252687fe284e4ed1732d8702d116260107f97f80c
-
SHA512
810d609bcc48a3d5d501ca7003d0453a259b91904e961b83acdfc95341156a17bb67c34acf1e8f40cc167416918eac92ed7851bb80a3358b166a31b5a5d9bfea
-
SSDEEP
49152:1Djlabwz9CSSBy+Libs8MBBWvYwPedqYxeJJUKluGmphTcRf:ZqwAPBHLzB8vRPuqYGJPlthJ
Static task
static1
Behavioral task
behavioral1
Sample
solarainstall_protected.sfx.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
solarainstall_protected.sfx.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
solarainstall_protected.sfx.exe
-
Size
2.2MB
-
MD5
2e78f45ee035005c4ce1d58d9535699c
-
SHA1
f47d6b17eb086f6d0981239024c36c3c42797cf6
-
SHA256
1ecc88c3383a10354a21e49252687fe284e4ed1732d8702d116260107f97f80c
-
SHA512
810d609bcc48a3d5d501ca7003d0453a259b91904e961b83acdfc95341156a17bb67c34acf1e8f40cc167416918eac92ed7851bb80a3358b166a31b5a5d9bfea
-
SSDEEP
49152:1Djlabwz9CSSBy+Libs8MBBWvYwPedqYxeJJUKluGmphTcRf:ZqwAPBHLzB8vRPuqYGJPlthJ
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2