General

  • Target

    cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe

  • Size

    3.3MB

  • Sample

    240717-de1vkssgqp

  • MD5

    af4cd8f5b99d7e371a6ddd880aec1079

  • SHA1

    caba9083a0128266b477330c2e5d8874646a915d

  • SHA256

    cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20

  • SHA512

    c0fbb42b516c4a83a3dbeab47199fb603330929788008a314c222ec1585845a40538cd2f2b18ace200436beeed2b7428fe23fd9e19bb2f5a3f48939ab93432ff

  • SSDEEP

    98304:PbD91o0GWLMJo5sZB8MDJ2RZeeD+Gvl/ndA:PXbnGWLMTZyjnCg/i

Malware Config

Targets

    • Target

      cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe

    • Size

      3.3MB

    • MD5

      af4cd8f5b99d7e371a6ddd880aec1079

    • SHA1

      caba9083a0128266b477330c2e5d8874646a915d

    • SHA256

      cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20

    • SHA512

      c0fbb42b516c4a83a3dbeab47199fb603330929788008a314c222ec1585845a40538cd2f2b18ace200436beeed2b7428fe23fd9e19bb2f5a3f48939ab93432ff

    • SSDEEP

      98304:PbD91o0GWLMJo5sZB8MDJ2RZeeD+Gvl/ndA:PXbnGWLMTZyjnCg/i

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks