General
-
Target
start.bat
-
Size
3.1MB
-
Sample
240723-s17mkszfme
-
MD5
faad04bd754af1b4cf0dac950ced5183
-
SHA1
a057726d0dbc0bf945dba25b64bd6219bdf524cf
-
SHA256
7288a50308189b135503011afbd1a1901c5fc12b2c0112a04669b77e357652f0
-
SHA512
2f01c46d1b2e12d74d4b28d05d876db86f6698d5bf650d0307df9b4f86ad50d393e3f4cdb3f340207fcf93b219a480664e862a3614816e4433adee92f2fa4437
-
SSDEEP
49152:ubA3j/NccgP+LV+bHQ8LivEm9IkmJ571CPw/e18gbyP0rnWaF:ubUKcHsXivBIkmf1JS8iznWaF
Behavioral task
behavioral1
Sample
start.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
start.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
start.bat
-
Size
3.1MB
-
MD5
faad04bd754af1b4cf0dac950ced5183
-
SHA1
a057726d0dbc0bf945dba25b64bd6219bdf524cf
-
SHA256
7288a50308189b135503011afbd1a1901c5fc12b2c0112a04669b77e357652f0
-
SHA512
2f01c46d1b2e12d74d4b28d05d876db86f6698d5bf650d0307df9b4f86ad50d393e3f4cdb3f340207fcf93b219a480664e862a3614816e4433adee92f2fa4437
-
SSDEEP
49152:ubA3j/NccgP+LV+bHQ8LivEm9IkmJ571CPw/e18gbyP0rnWaF:ubUKcHsXivBIkmf1JS8iznWaF
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1