General

  • Target

    resgsadasdfdsfg

  • Size

    1.5MB

  • Sample

    231121-byf86sbd62

  • MD5

    ede4907e2e08f2a03d8474a337f327f5

  • SHA1

    2f63cd0d5eb437f0589d5bf0f7d41a1e996c7b84

  • SHA256

    176d5faa1225bebbed48f5692b62ff6389bcf5a6e1d498bedabba2d09d6fa7c4

  • SHA512

    e1e5814a36296baa7d5cdb6a5ec0ca60070ad347b77acac7b037a4241ead699fce315c07cbc3dc029af688a538d900251a07e551207466526111b90da3dad80a

  • SSDEEP

    24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Malware Config

Targets

    • Target

      resgsadasdfdsfg

    • Size

      1.5MB

    • MD5

      ede4907e2e08f2a03d8474a337f327f5

    • SHA1

      2f63cd0d5eb437f0589d5bf0f7d41a1e996c7b84

    • SHA256

      176d5faa1225bebbed48f5692b62ff6389bcf5a6e1d498bedabba2d09d6fa7c4

    • SHA512

      e1e5814a36296baa7d5cdb6a5ec0ca60070ad347b77acac7b037a4241ead699fce315c07cbc3dc029af688a538d900251a07e551207466526111b90da3dad80a

    • SSDEEP

      24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks