General

  • Target

    Speedy.exe

  • Size

    160KB

  • Sample

    240721-x4j3xatapl

  • MD5

    7b9610cdb99b9973810e3e25e2548ba9

  • SHA1

    776ecee620560f31d35fbd9894737e7b4133d29a

  • SHA256

    1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096

  • SHA512

    29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660

  • SSDEEP

    3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub

Malware Config

Targets

    • Target

      Speedy.exe

    • Size

      160KB

    • MD5

      7b9610cdb99b9973810e3e25e2548ba9

    • SHA1

      776ecee620560f31d35fbd9894737e7b4133d29a

    • SHA256

      1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096

    • SHA512

      29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660

    • SSDEEP

      3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies security service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

MITRE ATT&CK Enterprise v15

Tasks