General
-
Target
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f
-
Size
2.7MB
-
Sample
240530-bvzlcahe7x
-
MD5
00885de1e26bc400dcb780eeae9fac98
-
SHA1
721c09a48674f7cfb8c02c95ff8e2365981c8174
-
SHA256
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f
-
SHA512
7b182db613647af3e8888d822332e9b07bcda29e3d92d82bce102126ce8413e1488106040365b7cea422cc2fabf4d96a50c7ac4e1dfc88ff60f0239661b9d185
-
SSDEEP
49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc
Behavioral task
behavioral1
Sample
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f
-
Size
2.7MB
-
MD5
00885de1e26bc400dcb780eeae9fac98
-
SHA1
721c09a48674f7cfb8c02c95ff8e2365981c8174
-
SHA256
aa645d0afecfc51f0d86cac5fdcd8a5f6be3d1231532fd582ddecf7214ec3d2f
-
SHA512
7b182db613647af3e8888d822332e9b07bcda29e3d92d82bce102126ce8413e1488106040365b7cea422cc2fabf4d96a50c7ac4e1dfc88ff60f0239661b9d185
-
SSDEEP
49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1