Resubmissions

23-10-2024 02:31

241023-czs5ssydnj 10

23-10-2024 02:28

241023-cygelsxakf 10

General

  • Target

    PedikClient.exe

  • Size

    1.7MB

  • Sample

    241023-czs5ssydnj

  • MD5

    28d6347c722e5cac5ae9245b16d4754c

  • SHA1

    45a79b7368ec79516ab1772188bec1b36c43d498

  • SHA256

    eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1

  • SHA512

    643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181

  • SSDEEP

    49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15

Malware Config

Targets

    • Target

      PedikClient.exe

    • Size

      1.7MB

    • MD5

      28d6347c722e5cac5ae9245b16d4754c

    • SHA1

      45a79b7368ec79516ab1772188bec1b36c43d498

    • SHA256

      eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1

    • SHA512

      643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181

    • SSDEEP

      49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks