General

  • Target

    0915a0d7a9f49c50d34739af3c4337de.exe

  • Size

    10.0MB

  • Sample

    220925-cs1ajacgh2

  • MD5

    0915a0d7a9f49c50d34739af3c4337de

  • SHA1

    4cb12c36ba21062be37c3f589f8d2418405b1870

  • SHA256

    745289f6734583185e533aab1579ba1274150b062207d5d879d8c46a3dbc5188

  • SHA512

    baf2f42afdcd409848ad106c14ea5f1f088802580de7f026bc21b407f4eeab8759892fe30d5ed59b70e8a97588b9c0f067c90ff1bb4b0c52d90ab6fefb29b8ec

  • SSDEEP

    196608:YWkBzjZOGf4VlZREoSMOaV4PmnhDaEqvVVU/114/v6g:YWkhtOGfCWytB0tVU/Ng

Malware Config

Targets

    • Target

      0915a0d7a9f49c50d34739af3c4337de.exe

    • Size

      10.0MB

    • MD5

      0915a0d7a9f49c50d34739af3c4337de

    • SHA1

      4cb12c36ba21062be37c3f589f8d2418405b1870

    • SHA256

      745289f6734583185e533aab1579ba1274150b062207d5d879d8c46a3dbc5188

    • SHA512

      baf2f42afdcd409848ad106c14ea5f1f088802580de7f026bc21b407f4eeab8759892fe30d5ed59b70e8a97588b9c0f067c90ff1bb4b0c52d90ab6fefb29b8ec

    • SSDEEP

      196608:YWkBzjZOGf4VlZREoSMOaV4PmnhDaEqvVVU/114/v6g:YWkhtOGfCWytB0tVU/Ng

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

4
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Tasks