General

  • Target

    Flawless_spoofer.exe

  • Size

    6.3MB

  • Sample

    241230-mjt29sxmfs

  • MD5

    38e709ac517d614b056920c080a7d894

  • SHA1

    656bb142eb343e050f2dacf600ec2af401313961

  • SHA256

    8f28bbf73966b57562935bbed85ce019ea10fd5a51373f302e4f7da063e262f4

  • SHA512

    38eda11cfb8bb964408a9329d69d397f9949ad1d709c7cb2a286161ac1e130c0643ce694ea566923fc3452f66016e8ab1be3cc7b0e4881fde3eb10cad0959f1e

  • SSDEEP

    98304:Dj6iFuhCq2QyII+6s03cMB0iPmsTN8o1FJaCjV08QqIOzk6wvAwCAYgYLbeuRrKD:chqI3zMxPvTN8oPJbVjcOzkPALzde

Malware Config

Targets

    • Target

      Flawless_spoofer.exe

    • Size

      6.3MB

    • MD5

      38e709ac517d614b056920c080a7d894

    • SHA1

      656bb142eb343e050f2dacf600ec2af401313961

    • SHA256

      8f28bbf73966b57562935bbed85ce019ea10fd5a51373f302e4f7da063e262f4

    • SHA512

      38eda11cfb8bb964408a9329d69d397f9949ad1d709c7cb2a286161ac1e130c0643ce694ea566923fc3452f66016e8ab1be3cc7b0e4881fde3eb10cad0959f1e

    • SSDEEP

      98304:Dj6iFuhCq2QyII+6s03cMB0iPmsTN8o1FJaCjV08QqIOzk6wvAwCAYgYLbeuRrKD:chqI3zMxPvTN8oPJbVjcOzkPALzde

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks