General
-
Target
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735
-
Size
2.7MB
-
Sample
240516-2mlbvscc32
-
MD5
7ad154df9a5863b8e5746eeec2398fc2
-
SHA1
98beff0b44c2ca64d7a1064665204d5560ad866a
-
SHA256
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735
-
SHA512
44e8663348256a71d390da068cdf78ffe33a2b39ad63e6204120b0a5f11884b0fe403cab2f8c4b88ad81a913d850017d4437a8bde85cb20f0f00d009ec05a044
-
SSDEEP
49152:SH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:SHfE5Ad8Xd295UmGc
Behavioral task
behavioral1
Sample
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735
-
Size
2.7MB
-
MD5
7ad154df9a5863b8e5746eeec2398fc2
-
SHA1
98beff0b44c2ca64d7a1064665204d5560ad866a
-
SHA256
565c5795f041536f8d72f4b1f62543f26109908b238617c20cb98542dbab3735
-
SHA512
44e8663348256a71d390da068cdf78ffe33a2b39ad63e6204120b0a5f11884b0fe403cab2f8c4b88ad81a913d850017d4437a8bde85cb20f0f00d009ec05a044
-
SSDEEP
49152:SH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:SHfE5Ad8Xd295UmGc
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1