Overview

overview

10

Static

static

10

NurikCrack...on.exe

windows7-x64

10

NurikCrack...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    938s
  • max time network
    940s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NurikCrackNewVersion.exe

  • Size

    1.1MB

  • MD5

    4b39d2785f3041d673495ecc36a95074

  • SHA1

    925f23e1e5b69b075728221874b54dc2ad2c7f65

  • SHA256

    9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772

  • SHA512

    44f75ea465ee52d9ead19330a9f4b82e7b2cc59d95e89547f85a5dc2af1139481fbeecb498edb7e68497820f1daf3c9f63d9a94fa536e91f63011603c9c31d4d

  • SSDEEP

    24576:P2G/nvxW3Wayt05h/1NDQNxDL5rNx5bhpC6TZ:PbA37yC5GVz9

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe
    "C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\netSvc\WsWYaVY80xOTEmwO5LX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\netSvc\Msproviderserver.exe
          "C:\netSvc\Msproviderserver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dc1PqBqq9g.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4180
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2672
              • C:\Program Files\Windows Multimedia Platform\csrss.exe
                "C:\Program Files\Windows Multimedia Platform\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\netSvc\1TCP8vvjtWtNky92sAt.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe
          3⤵
            PID:3520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\My Documents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\netSvc\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\netSvc\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\netSvc\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\netSvc\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\netSvc\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\netSvc\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1004
      • C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe
        "C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4156
      • C:\netSvc\conhost.exe
        C:\netSvc\conhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Users\Public\AccountPictures\upfc.exe
        C:\Users\Public\AccountPictures\upfc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Users\Default\My Documents\wininit.exe
        "C:\Users\Default\My Documents\wininit.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1168
      • C:\Windows\DiagTrack\Scenarios\TextInputHost.exe
        C:\Windows\DiagTrack\Scenarios\TextInputHost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3836
      • C:\netSvc\sysmon.exe
        C:\netSvc\sysmon.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe
        "C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
      • C:\Program Files\Windows Multimedia Platform\csrss.exe
        "C:\Program Files\Windows Multimedia Platform\csrss.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\netSvc\conhost.exe
        C:\netSvc\conhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
      • C:\Users\Public\AccountPictures\upfc.exe
        C:\Users\Public\AccountPictures\upfc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Recovery\WindowsRE\spoolsv.exe
        C:\Recovery\WindowsRE\spoolsv.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Users\Default\My Documents\wininit.exe
        "C:\Users\Default\My Documents\wininit.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1212

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
        Filesize

        1KB

        MD5

        baf55b95da4a601229647f25dad12878

        SHA1

        abc16954ebfd213733c4493fc1910164d825cac8

        SHA256

        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

        SHA512

        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Dc1PqBqq9g.bat
        Filesize

        219B

        MD5

        42976956ade5cc566251e39d5d8d7412

        SHA1

        926bb66255fa2c51e1eadff6f2bf89cb96b74944

        SHA256

        2f229175ea6341e99220d6a0f50b47ac01a64f04a05f29ffa59a1836d69261f5

        SHA512

        f47a572964e17a6c33f0e1628ee6cf21a7e21e441bcc9223f42970cb406024f5cc2c46fc99876f38dddf8be0f679b778b88094c2a4ec3c0cae1467cb2d5275a2

        Download Submit
      • C:\netSvc\1TCP8vvjtWtNky92sAt.bat
        Filesize

        13B

        MD5

        9e97eb7b4fe7e7b2978f9ebdf6896f2d

        SHA1

        cdccef4e71f279347ff25fea52f53d5b640b0aea

        SHA256

        9d89a31f0e7b7d9fe52bf475b00ffb9fe24ea28d0905229467ee072246bb413b

        SHA512

        8a50d83ac64ed0c96a1a4db4e18a909e93d108b0d35481340e6a829d914fad604b9a0ef860d902b978a475fd15e4dca304db6952aa51fe8cf2010c2319887c91

        Download Submit
      • C:\netSvc\Msproviderserver.exe
        Filesize

        827KB

        MD5

        4e4088d5176e77688154f64545051d8b

        SHA1

        3020231a4134839b3970c3cb10ed5d87ea174459

        SHA256

        046956b1eb9b2fc738698aa8222744b07c11e104e20a94d764ed7b1ac133fac0

        SHA512

        49599228d257f18aa2c0931569ea4eb917d0e793e30906940e521be6a5280580aee57bc96c62645a61241fb2843103da26fa3f443d7a724ceaaa4486c401d2a5

        Download Submit
      • C:\netSvc\WsWYaVY80xOTEmwO5LX.bat
        Filesize

        32B

        MD5

        e897bc8313657095107640d60d42da83

        SHA1

        803d583c033182a69af393bd1f239a2c23b76fb0

        SHA256

        5acdb6f1284aaa5e072c09bd68de498d21c344910ab2c2ccf83257305997c05f

        SHA512

        44d1d8ed11d4158cde19e7501fb2467e2c274f1a16f7e220d0ca163d8af8167582084954d5238b8c3485ebde903a24658dd608c9da1469a1864537f1cec26e1d

        Download Submit
      • C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe
        Filesize

        202B

        MD5

        d443149e014f135240a9aeca27fbfe1e

        SHA1

        3f541782e2333dc7aced3e77732f198ea37113cc

        SHA256

        bf426dcc90e02082ddaeee361aaa3deadd6249eed5156be07bd763086887793b

        SHA512

        8d3a16b1b608928f31ab6f0db12449dbb07b449e8a25647ebfb2671d9f12eb661b33a11b03f0c4771615f1afde3c70bde350df06d17a3273b4f1f5c064d5d381

        Download Submit
      • memory/2928-17-0x0000000000E40000-0x0000000000F16000-memory.dmp
        Filesize

        856KB

        Download