Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 20:58

General

  • Target

    SolaraBostrappers.exe

  • Size

    1.5MB

  • MD5

    fb027065b10cd311473a1a7e5aa24005

  • SHA1

    91fec287f958e62ce18fc1342b7f33ebd35cf0be

  • SHA256

    4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec

  • SHA512

    e21f788281896c9363df1e0e34c6dc11b06aa9bd9c0d5d40bae5427b4f134bffe3a9cc546e0577159d0ba6f37ecba68c49d5bfde37eaf1b1beac36abc8cdaada

  • SSDEEP

    24576:U2G/nvxW3Ww0t2ciMa06q2YpE2yA/DFPxuBWBZCAO:UbA3021eyAbNMBWBch

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBostrappers.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBostrappers.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\yandex\YS77TPyYPKM.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\yandex\q9B7I.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\yandex\svhost.exe
          "C:\yandex\svhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\yandex\YS77TPyYPKM.vbe

    Filesize

    188B

    MD5

    114771a66f069797e6bb4b5915cde7b1

    SHA1

    a8cac5762a37fba89cf3f78e27abd3def8ede704

    SHA256

    7b2f2f7bbd31dd6432160076f350c66d1057eda24db930c3d8003cc264054012

    SHA512

    fa492f023c1a8241589e96a98e4bf2ef878970e0b8bd9351a22e1f5504d2cf32295bbee6e70a0866e63866c0599ba592dc3d5d6cde1ef07b95e823717cf36210

  • C:\yandex\q9B7I.bat

    Filesize

    22B

    MD5

    153f0ac93fba91426eb6bdfcc169cd53

    SHA1

    180794e0c53e11dae960dfe50b79fd71be867405

    SHA256

    6f9e82303d6c4913c5663b9b40fa02d9f7adbd50ca36f4b552c70e5c955841e7

    SHA512

    6763f247438ed76e7e4fbb8d08b9028f3d649d278cd16efa229791c299bd976e766bf912115d684d71291b5c1257f6878541bbb3d6c52e30229560166e999b48

  • \yandex\svhost.exe

    Filesize

    1.2MB

    MD5

    754dceb944cf505a0957e70370a972ef

    SHA1

    c16e4782f0f2f868deff74d4bc76b528162f1fcc

    SHA256

    2a9851860e7d245eadc3004f986afc3cec8c7bf2fc967fdfbca1e0a96b864efa

    SHA512

    ad1ace193fdc6ba8dba7c11dacc9afc5420efd7dc45a0994bec8d12952e806488b3156b8ec346e6f13b7f66e9b0890e65791eecb1ed574383ca73ed5ab2a4568

  • memory/2472-13-0x0000000001340000-0x000000000147A000-memory.dmp

    Filesize

    1.2MB

  • memory/2472-14-0x0000000000350000-0x000000000035E000-memory.dmp

    Filesize

    56KB

  • memory/2472-15-0x0000000000360000-0x000000000036E000-memory.dmp

    Filesize

    56KB