General
-
Target
025e30c61b7b2498e8f2dd87b3b088b7.exe
-
Size
3.0MB
-
Sample
240623-w8wf3ayelg
-
MD5
025e30c61b7b2498e8f2dd87b3b088b7
-
SHA1
1411ef009403157d133143286ab26f7b50b728e3
-
SHA256
2f77a20ba2eacdaf74acc2be52db30061d378a817ea3ac1812ef1c95f23f735e
-
SHA512
f058bfb9e8dbb624e8f9f146fb8845a390ce823d170b102e02d83ae5cb66499656b65b6361bf4202a2ff4c2bc12e8b59af9a68626b67c6ba15ce6a1a500c4b45
-
SSDEEP
49152:PbA3SIbQ5o1OkYYkX00FvTYeCZIqJcbTDtJmbrIdJzj:PbiQ5OkbY/ATDtJdJH
Behavioral task
behavioral1
Sample
025e30c61b7b2498e8f2dd87b3b088b7.exe
Resource
win7-20240611-en
Malware Config
Targets
-
-
Target
025e30c61b7b2498e8f2dd87b3b088b7.exe
-
Size
3.0MB
-
MD5
025e30c61b7b2498e8f2dd87b3b088b7
-
SHA1
1411ef009403157d133143286ab26f7b50b728e3
-
SHA256
2f77a20ba2eacdaf74acc2be52db30061d378a817ea3ac1812ef1c95f23f735e
-
SHA512
f058bfb9e8dbb624e8f9f146fb8845a390ce823d170b102e02d83ae5cb66499656b65b6361bf4202a2ff4c2bc12e8b59af9a68626b67c6ba15ce6a1a500c4b45
-
SSDEEP
49152:PbA3SIbQ5o1OkYYkX00FvTYeCZIqJcbTDtJmbrIdJzj:PbiQ5OkbY/ATDtJdJH
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1