General

  • Target

    aab1b9a9dea62afb4301db8a84d1c254c8fdf988795aecc54167ee865d11cd15N

  • Size

    1.5MB

  • Sample

    241004-wtjhysycrl

  • MD5

    84e777a87eebd1ceee7f42b45f04d8a0

  • SHA1

    b199913b455fbe80bd3649cb2c19143f81d2b4cd

  • SHA256

    aab1b9a9dea62afb4301db8a84d1c254c8fdf988795aecc54167ee865d11cd15

  • SHA512

    06bf41792565f9dbf8134154299a7ddf7a77cfad94db4c04a079779347ae1e37e475c2c35fadc8bada677bb2bbfd3d1e2efd9cf03050c0cf930b94c824418ea9

  • SSDEEP

    24576:VbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:BEi6GDAQORcwW5/oBjme81

Malware Config

Targets

    • Target

      aab1b9a9dea62afb4301db8a84d1c254c8fdf988795aecc54167ee865d11cd15N

    • Size

      1.5MB

    • MD5

      84e777a87eebd1ceee7f42b45f04d8a0

    • SHA1

      b199913b455fbe80bd3649cb2c19143f81d2b4cd

    • SHA256

      aab1b9a9dea62afb4301db8a84d1c254c8fdf988795aecc54167ee865d11cd15

    • SHA512

      06bf41792565f9dbf8134154299a7ddf7a77cfad94db4c04a079779347ae1e37e475c2c35fadc8bada677bb2bbfd3d1e2efd9cf03050c0cf930b94c824418ea9

    • SSDEEP

      24576:VbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:BEi6GDAQORcwW5/oBjme81

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks