Overview

overview

10

Static

static

10

DefenderSm...en.exe

windows7-x64

10

DefenderSm...en.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DefenderSmartScreen.exe

  • Size

    1.4MB

  • Sample

    220830-cp2n7abdh4

  • MD5

    5d66bae46d9759662f2309dc9bb8d2cc

  • SHA1

    bd553872c196f31bc879555ae9f68dca5a337ba7

  • SHA256

    47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

  • SHA512

    18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

  • SSDEEP

    24576:9PV32MblP1ol19heoF6heWOeWlERO6XmN/DipYrkJDF:/324okobWyl3N/Di4k

Score
10/10
dcratdiscoveryevasionexploitinfostealerratspywarestealertrojan

Malware Config

Targets

    • Target

      DefenderSmartScreen.exe

    • Size

      1.4MB

    • MD5

      5d66bae46d9759662f2309dc9bb8d2cc

    • SHA1

      bd553872c196f31bc879555ae9f68dca5a337ba7

    • SHA256

      47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

    • SHA512

      18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

    • SSDEEP

      24576:9PV32MblP1ol19heoF6heWOeWlERO6XmN/DipYrkJDF:/324okobWyl3N/Di4k

    Score
    10/10
    dcratevasioninfostealerrattrojandiscoveryexploitspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks