General

  • Target

    20ec8d347f674ebadc53399ef6aa49cb.exe

  • Size

    3.4MB

  • Sample

    231207-anb12ahha5

  • MD5

    20ec8d347f674ebadc53399ef6aa49cb

  • SHA1

    f418d228eb276f216b4986b55b2c762d11991a31

  • SHA256

    9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

  • SHA512

    e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

  • SSDEEP

    49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ

Malware Config

Targets

    • Target

      20ec8d347f674ebadc53399ef6aa49cb.exe

    • Size

      3.4MB

    • MD5

      20ec8d347f674ebadc53399ef6aa49cb

    • SHA1

      f418d228eb276f216b4986b55b2c762d11991a31

    • SHA256

      9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

    • SHA512

      e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

    • SSDEEP

      49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks