General
-
Target
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
-
Size
1.3MB
-
Sample
240701-bg71kavcnj
-
MD5
48c2137034bee9bdfc2c9df1e71e9e04
-
SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8
-
SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
-
SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
SSDEEP
24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS
Behavioral task
behavioral1
Sample
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Resource
win7-20240508-en
Malware Config
Targets
-
-
Target
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
-
Size
1.3MB
-
MD5
48c2137034bee9bdfc2c9df1e71e9e04
-
SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8
-
SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
-
SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
SSDEEP
24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1