General

  • Target

    0924b9eca922c9227c4f426be5174bae.exe

  • Size

    4.8MB

  • Sample

    231207-bdx17aaaa9

  • MD5

    0924b9eca922c9227c4f426be5174bae

  • SHA1

    8d2abdecd0fc744ee836d75ad5c3b52585d8041f

  • SHA256

    e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

  • SHA512

    47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2

  • SSDEEP

    49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/

Malware Config

Targets

    • Target

      0924b9eca922c9227c4f426be5174bae.exe

    • Size

      4.8MB

    • MD5

      0924b9eca922c9227c4f426be5174bae

    • SHA1

      8d2abdecd0fc744ee836d75ad5c3b52585d8041f

    • SHA256

      e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

    • SHA512

      47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2

    • SSDEEP

      49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks