Overview

overview

10

Static

static

1

minitool_p...ll.exe

windows10-1703-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    minitool_partition_wizard_12.6_full.exe

  • Size

    130.4MB

  • Sample

    230323-ge6mlsdg55

  • MD5

    debc5f5b71f637030872b33caab64c0a

  • SHA1

    25a8f4f53e9ec1123d62427c6740e3250dae9282

  • SHA256

    a7f19f8d65bfd54fe1f8a5eb8c1a4a960361234046a56c176cd58c56919eec2c

  • SHA512

    3e6a4755de6353fff3b0dce1c9fc308df701acd0e5d5e9bcc6f5abc2c444edb85a3ba0bf5a1878e2b76b292b889538eda1e3f855fe7fad70b550c18939279821

  • SSDEEP

    3145728:uwYi3ZoPxT77M0XZeiYWe6LdSP5TKLc+S6k:ug3ZoZT7aWeGdu5T0Vk

Score
10/10
dcratdiscoveryevasioninfostealerrattrojan

Malware Config

Targets

    • Target

      minitool_partition_wizard_12.6_full.exe

    • Size

      130.4MB

    • MD5

      debc5f5b71f637030872b33caab64c0a

    • SHA1

      25a8f4f53e9ec1123d62427c6740e3250dae9282

    • SHA256

      a7f19f8d65bfd54fe1f8a5eb8c1a4a960361234046a56c176cd58c56919eec2c

    • SHA512

      3e6a4755de6353fff3b0dce1c9fc308df701acd0e5d5e9bcc6f5abc2c444edb85a3ba0bf5a1878e2b76b292b889538eda1e3f855fe7fad70b550c18939279821

    • SSDEEP

      3145728:uwYi3ZoPxT77M0XZeiYWe6LdSP5TKLc+S6k:ug3ZoZT7aWeGdu5T0Vk

    Score
    10/10
    dcratdiscoveryevasioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

7
T1012

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks