General

  • Target

    13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe

  • Size

    1.6MB

  • Sample

    240523-bhgj1afh4y

  • MD5

    a0fc62e3b7ee3716781698677ef0a315

  • SHA1

    679ee9e6c503af58943768fac7801a0c85149728

  • SHA256

    13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc

  • SHA512

    6d5f5cde273aebea5e97561c94e3a068e3b966dc0d8455d90f0bedcefbe2cd888457c60f639e77cdd3e6bd2b79b45fe1467f6eded81ddaf92ff6fde1bd2ba30b

  • SSDEEP

    49152:BI3GKRB71HIfHaM+j4av2JIZF9YvOaXdFi:qPRB5HISGauJIn95eo

Malware Config

Targets

    • Target

      13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe

    • Size

      1.6MB

    • MD5

      a0fc62e3b7ee3716781698677ef0a315

    • SHA1

      679ee9e6c503af58943768fac7801a0c85149728

    • SHA256

      13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc

    • SHA512

      6d5f5cde273aebea5e97561c94e3a068e3b966dc0d8455d90f0bedcefbe2cd888457c60f639e77cdd3e6bd2b79b45fe1467f6eded81ddaf92ff6fde1bd2ba30b

    • SSDEEP

      49152:BI3GKRB71HIfHaM+j4av2JIZF9YvOaXdFi:qPRB5HISGauJIn95eo

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks