General

  • Target

    NEAS.0354534622a7e7ce7f1b17a165be77b7dc56173f29e8533689913eb65f81f22eexe.exe

  • Size

    5.9MB

  • Sample

    231204-tny1cace3z

  • MD5

    1bfa99da4638bd06a51ae85edea23529

  • SHA1

    8a66eac74b538ad04701fca825ffe619b361b728

  • SHA256

    0354534622a7e7ce7f1b17a165be77b7dc56173f29e8533689913eb65f81f22e

  • SHA512

    26e0011e1ad6417bd37f89694a4cff537ba38a95cd6ba95066b625b7890954d5f644529902095ecc3042a84f13433b1cd89f2324be699306fd11b48f2d0b82e7

  • SSDEEP

    98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:ByeU11Rvqmu8TWKnF6N/1w

Malware Config

Targets

    • Target

      NEAS.0354534622a7e7ce7f1b17a165be77b7dc56173f29e8533689913eb65f81f22eexe.exe

    • Size

      5.9MB

    • MD5

      1bfa99da4638bd06a51ae85edea23529

    • SHA1

      8a66eac74b538ad04701fca825ffe619b361b728

    • SHA256

      0354534622a7e7ce7f1b17a165be77b7dc56173f29e8533689913eb65f81f22e

    • SHA512

      26e0011e1ad6417bd37f89694a4cff537ba38a95cd6ba95066b625b7890954d5f644529902095ecc3042a84f13433b1cd89f2324be699306fd11b48f2d0b82e7

    • SSDEEP

      98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:ByeU11Rvqmu8TWKnF6N/1w

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks