General

  • Target

    8820b3ddaf80f2556aa77d51ebcc49edd49a67f221a3f0b706d55fe3f96f638c

  • Size

    1.4MB

  • Sample

    241003-yj75nsxaqg

  • MD5

    383c434239321daa6ddc7db5a806d13a

  • SHA1

    bae5d3345fda20382e2b0749c2c2289c6787fccc

  • SHA256

    8820b3ddaf80f2556aa77d51ebcc49edd49a67f221a3f0b706d55fe3f96f638c

  • SHA512

    50002b755ec06e73b32c1e12b921e10b307b289113efab898e28adb919892804a022952d34926a834845868afe02a18137032c286fca25323027071941f18615

  • SSDEEP

    24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV

Malware Config

Targets

    • Target

      8820b3ddaf80f2556aa77d51ebcc49edd49a67f221a3f0b706d55fe3f96f638c

    • Size

      1.4MB

    • MD5

      383c434239321daa6ddc7db5a806d13a

    • SHA1

      bae5d3345fda20382e2b0749c2c2289c6787fccc

    • SHA256

      8820b3ddaf80f2556aa77d51ebcc49edd49a67f221a3f0b706d55fe3f96f638c

    • SHA512

      50002b755ec06e73b32c1e12b921e10b307b289113efab898e28adb919892804a022952d34926a834845868afe02a18137032c286fca25323027071941f18615

    • SSDEEP

      24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks