General

  • Target

    FIX.bat

  • Size

    4.7MB

  • Sample

    241030-x7deja1ngm

  • MD5

    840b55c4deeadd584747feeacb71111b

  • SHA1

    d0ab89817e7e4c9eef250d632ca035b02d06b082

  • SHA256

    2e1625d3a0354db4f9eca5eb63181d75b7dd08699481604a17ab86dfd76f8ebd

  • SHA512

    920ed71c2cafc21a91905a9eec9f5fa06d09a30c8d56ce0aa4b8a59d0d044670b73ecc3801c72cd64e6c788b6d299e0fdbed9b9f7b4ea06b114b82b4556cdeb7

  • SSDEEP

    49152:IBJNcIJz/f3SvXSRl5mHRbKdGm4C2oeacqu:yXcIJzQ2ylwtbeaK

Malware Config

Targets

    • Target

      FIX.bat

    • Size

      4.7MB

    • MD5

      840b55c4deeadd584747feeacb71111b

    • SHA1

      d0ab89817e7e4c9eef250d632ca035b02d06b082

    • SHA256

      2e1625d3a0354db4f9eca5eb63181d75b7dd08699481604a17ab86dfd76f8ebd

    • SHA512

      920ed71c2cafc21a91905a9eec9f5fa06d09a30c8d56ce0aa4b8a59d0d044670b73ecc3801c72cd64e6c788b6d299e0fdbed9b9f7b4ea06b114b82b4556cdeb7

    • SSDEEP

      49152:IBJNcIJz/f3SvXSRl5mHRbKdGm4C2oeacqu:yXcIJzQ2ylwtbeaK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks