General
-
Target
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
-
Size
1.8MB
-
Sample
241113-v8nwjsvrhz
-
MD5
a1b557c65fa59d8f91138e5cd4f0053e
-
SHA1
94139bac4ae269f6d38f5c7946475855a71c659d
-
SHA256
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126
-
SHA512
bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp
Behavioral task
behavioral1
Sample
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
Resource
win7-20241010-en
Malware Config
Targets
-
-
Target
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
-
Size
1.8MB
-
MD5
a1b557c65fa59d8f91138e5cd4f0053e
-
SHA1
94139bac4ae269f6d38f5c7946475855a71c659d
-
SHA256
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126
-
SHA512
bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1