General

  • Target

    025e30c61b7b2498e8f2dd87b3b088b7.exe

  • Size

    3.0MB

  • Sample

    240623-w8wf3ayelg

  • MD5

    025e30c61b7b2498e8f2dd87b3b088b7

  • SHA1

    1411ef009403157d133143286ab26f7b50b728e3

  • SHA256

    2f77a20ba2eacdaf74acc2be52db30061d378a817ea3ac1812ef1c95f23f735e

  • SHA512

    f058bfb9e8dbb624e8f9f146fb8845a390ce823d170b102e02d83ae5cb66499656b65b6361bf4202a2ff4c2bc12e8b59af9a68626b67c6ba15ce6a1a500c4b45

  • SSDEEP

    49152:PbA3SIbQ5o1OkYYkX00FvTYeCZIqJcbTDtJmbrIdJzj:PbiQ5OkbY/ATDtJdJH

Malware Config

Targets

    • Target

      025e30c61b7b2498e8f2dd87b3b088b7.exe

    • Size

      3.0MB

    • MD5

      025e30c61b7b2498e8f2dd87b3b088b7

    • SHA1

      1411ef009403157d133143286ab26f7b50b728e3

    • SHA256

      2f77a20ba2eacdaf74acc2be52db30061d378a817ea3ac1812ef1c95f23f735e

    • SHA512

      f058bfb9e8dbb624e8f9f146fb8845a390ce823d170b102e02d83ae5cb66499656b65b6361bf4202a2ff4c2bc12e8b59af9a68626b67c6ba15ce6a1a500c4b45

    • SSDEEP

      49152:PbA3SIbQ5o1OkYYkX00FvTYeCZIqJcbTDtJmbrIdJzj:PbiQ5OkbY/ATDtJdJH

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks