General

  • Target

    Element.bat

  • Size

    1.4MB

  • Sample

    250328-xw29hssjt2

  • MD5

    adbe8f67d479b99bcd29824cf1f2a54c

  • SHA1

    a6a61e93fc60ab956114653b388d96a83d5fad04

  • SHA256

    579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2

  • SHA512

    a88607580eb3848a990388e74e00402b594c437e0f732e16136feaba812a5ea47424eedfa3357af5ef70353a251a241e81636c21ada2504dc41d5526797239e7

  • SSDEEP

    24576:u2G/nvxW3WieCNKvNRRk656mvI/1mBnUjJB4j3ST6rlcAqpJ/jko:ubA3jNgT60qjJGCTAqxrN

Malware Config

Targets

    • Target

      Element.bat

    • Size

      1.4MB

    • MD5

      adbe8f67d479b99bcd29824cf1f2a54c

    • SHA1

      a6a61e93fc60ab956114653b388d96a83d5fad04

    • SHA256

      579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2

    • SHA512

      a88607580eb3848a990388e74e00402b594c437e0f732e16136feaba812a5ea47424eedfa3357af5ef70353a251a241e81636c21ada2504dc41d5526797239e7

    • SSDEEP

      24576:u2G/nvxW3WieCNKvNRRk656mvI/1mBnUjJB4j3ST6rlcAqpJ/jko:ubA3jNgT60qjJGCTAqxrN

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks