General

  • Target

    9sUsHji0MKVo7U2RZ9gX14M.exe

  • Size

    1MB

  • Sample

    230127-d1ymcahg2t

  • MD5

    199ccc5abc45dd2c45831f1de72bb58a

  • SHA1

    d832e8a52a971432fc575088e37831faec7008f2

  • SHA256

    a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84

  • SHA512

    9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc

  • SSDEEP

    12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

Malware Config

Targets

    • Target

      9sUsHji0MKVo7U2RZ9gX14M.exe

    • Size

      1MB

    • MD5

      199ccc5abc45dd2c45831f1de72bb58a

    • SHA1

      d832e8a52a971432fc575088e37831faec7008f2

    • SHA256

      a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84

    • SHA512

      9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc

    • SSDEEP

      12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks