General
-
Target
Result.exe
-
Size
2.6MB
-
Sample
240711-xrzmtssemc
-
MD5
60e22c787775c994f3549a43d7405176
-
SHA1
de22c9522b5261859d9b1e013c6668c4aba026ce
-
SHA256
a9fdbf63fe9832ad7d17ba7adf9f18dc0523d365b17940ad606a0e3c601ee14c
-
SHA512
28aec7a11e32e9cc545e267b3e268e49897be4cc435ad907e9329ddc7757263d931bb9fd2bc278ae3e552ee0f4e193e9cc18256fc7f73b029946bc7e0f384283
-
SSDEEP
49152:0bA3jgNDL4jc0NKPvNVXhEeJiV4wo/ImFBojA1ji5x7:0b/5L4jVUnN/EaiV4jImFU5x
Behavioral task
behavioral1
Sample
Result.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Result.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
Result.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Result.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
Result.exe
-
Size
2.6MB
-
MD5
60e22c787775c994f3549a43d7405176
-
SHA1
de22c9522b5261859d9b1e013c6668c4aba026ce
-
SHA256
a9fdbf63fe9832ad7d17ba7adf9f18dc0523d365b17940ad606a0e3c601ee14c
-
SHA512
28aec7a11e32e9cc545e267b3e268e49897be4cc435ad907e9329ddc7757263d931bb9fd2bc278ae3e552ee0f4e193e9cc18256fc7f73b029946bc7e0f384283
-
SSDEEP
49152:0bA3jgNDL4jc0NKPvNVXhEeJiV4wo/ImFBojA1ji5x7:0b/5L4jVUnN/EaiV4jImFU5x
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1