General

  • Target

    sigmasoft3.exe

  • Size

    12.8MB

  • Sample

    241111-vvc7wsvrdk

  • MD5

    aa456e4c575655fe9bb3c77802001a79

  • SHA1

    56fcf170358da522c856fad9c9baea64ea90d04c

  • SHA256

    eff428d886d5836082ce5d6ea48af9a2fd411188a8be54f7f67ff3d9ba557a44

  • SHA512

    1f05f12ba147258c388791689b678fab42a09cef555493753f06cbc1e388ebeebab902599bf644d01bf52d0d9a85a33ad70bc39669df2ceb32f9740219fe0c38

  • SSDEEP

    196608:ZqwbT2PrGWsSWCSHhINEDIGMVIiSmY1EYKq59YNh0tMGEy/WAKfK6EaK6pMo:lSPVPSHFDIDOb5NtMjy/yfK66c

Malware Config

Targets

    • Target

      sigmasoft3.exe

    • Size

      12.8MB

    • MD5

      aa456e4c575655fe9bb3c77802001a79

    • SHA1

      56fcf170358da522c856fad9c9baea64ea90d04c

    • SHA256

      eff428d886d5836082ce5d6ea48af9a2fd411188a8be54f7f67ff3d9ba557a44

    • SHA512

      1f05f12ba147258c388791689b678fab42a09cef555493753f06cbc1e388ebeebab902599bf644d01bf52d0d9a85a33ad70bc39669df2ceb32f9740219fe0c38

    • SSDEEP

      196608:ZqwbT2PrGWsSWCSHhINEDIGMVIiSmY1EYKq59YNh0tMGEy/WAKfK6EaK6pMo:lSPVPSHFDIDOb5NtMjy/yfK66c

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks