General
-
Target
1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec
-
Size
1.4MB
-
Sample
241003-yrz42atfnq
-
MD5
df365761d04b057e79cb34dba2948779
-
SHA1
ef39221e6bfb8f9a1fea95045286b479b858d2f0
-
SHA256
1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec
-
SHA512
48a3ce4223dd4ceaee82738f1834f0f18c6b4e0b12a8a2a71b8fb06e9bf5a750e152fcca165a250357c884ad44dd85f78e6e34bf5407877a4ece78f07e90216b
-
SSDEEP
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
Behavioral task
behavioral1
Sample
1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec.exe
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec
-
Size
1.4MB
-
MD5
df365761d04b057e79cb34dba2948779
-
SHA1
ef39221e6bfb8f9a1fea95045286b479b858d2f0
-
SHA256
1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec
-
SHA512
48a3ce4223dd4ceaee82738f1834f0f18c6b4e0b12a8a2a71b8fb06e9bf5a750e152fcca165a250357c884ad44dd85f78e6e34bf5407877a4ece78f07e90216b
-
SSDEEP
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1