General
-
Target
Modrinth Installer.exe
-
Size
6.5MB
-
Sample
240712-1slzxatgpb
-
MD5
124f705cc900497e5c22f722847e40d9
-
SHA1
6bfb2abf3a823b022f916bc6bb57ed6e6e35e297
-
SHA256
2fc4ef6300f161e225e614aa3dbeacbf3547e30e16dbdb0f217db7365d08f1a0
-
SHA512
abb80868d9dd04f831daea8906959bb3ebf2d617a5078c7c0c551cff434aa4e223f0e951b543371aa6d10e2830b795c58e1c438d97dbd0482fa6ee278fd7bcb5
-
SSDEEP
196608:ZCXpj/HMlS2JxmYcmcg7XGqb6Msq51GPg:+LslSDVoXGe1G4
Behavioral task
behavioral1
Sample
Modrinth Installer.exe
Resource
win10-20240404-en
Malware Config
Targets
-
-
Target
Modrinth Installer.exe
-
Size
6.5MB
-
MD5
124f705cc900497e5c22f722847e40d9
-
SHA1
6bfb2abf3a823b022f916bc6bb57ed6e6e35e297
-
SHA256
2fc4ef6300f161e225e614aa3dbeacbf3547e30e16dbdb0f217db7365d08f1a0
-
SHA512
abb80868d9dd04f831daea8906959bb3ebf2d617a5078c7c0c551cff434aa4e223f0e951b543371aa6d10e2830b795c58e1c438d97dbd0482fa6ee278fd7bcb5
-
SSDEEP
196608:ZCXpj/HMlS2JxmYcmcg7XGqb6Msq51GPg:+LslSDVoXGe1G4
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1