General
-
Target
ddea9b5a1f17983048d1cd11bae94bdf
-
Size
3.0MB
-
Sample
240325-nrn2naed79
-
MD5
ddea9b5a1f17983048d1cd11bae94bdf
-
SHA1
fe8624e9b4556935b96a6d418680d236b0edc3aa
-
SHA256
7e4a32495bf612f02d618faf6558d0e214e3b9d0f6ba520aedfbd022fa12166d
-
SHA512
d46edd04eba4b7a5bb4d3518746077dfd5f98872043510f995002e0cfd13130e9e0bc25a4368ed80390f6d879a6f6367e20677d9ca86af5a2557dc552964fa1d
-
SSDEEP
49152:UbA30mALm8Yh9RN0IrSRKEcRPAU9w0VzOl1awnoN5rJsFzIMuczH:UbrBY5N0IrSsEcRb+l9OZ0kM7j
Static task
static1
Behavioral task
behavioral1
Sample
ddea9b5a1f17983048d1cd11bae94bdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ddea9b5a1f17983048d1cd11bae94bdf.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
ddea9b5a1f17983048d1cd11bae94bdf
-
Size
3.0MB
-
MD5
ddea9b5a1f17983048d1cd11bae94bdf
-
SHA1
fe8624e9b4556935b96a6d418680d236b0edc3aa
-
SHA256
7e4a32495bf612f02d618faf6558d0e214e3b9d0f6ba520aedfbd022fa12166d
-
SHA512
d46edd04eba4b7a5bb4d3518746077dfd5f98872043510f995002e0cfd13130e9e0bc25a4368ed80390f6d879a6f6367e20677d9ca86af5a2557dc552964fa1d
-
SSDEEP
49152:UbA30mALm8Yh9RN0IrSRKEcRPAU9w0VzOl1awnoN5rJsFzIMuczH:UbrBY5N0IrSsEcRb+l9OZ0kM7j
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2