Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:54
General
-
Target
Nursultan.exe
-
Size
1.4MB
-
MD5
04dd1f99162ef231ab0c9d28d181e9d2
-
SHA1
af9cb52510704981a6e3daeae61c617d711366ef
-
SHA256
c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086
-
SHA512
701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614
-
SSDEEP
24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1245420777592062054/saI81XWOLJi1mJiEEt2FK-cyIKsq2Ayc-BlexWZ-2Fj0plrNSjRsNmF63M5uf5r_C7a0
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral1/memory/1996-11-0x0000000000400000-0x0000000000572000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nursultan.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Nursultan.exe -
Executes dropped EXE 1 IoCs
Processes:
Insidious.exepid Process 1968 Insidious.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 freegeoip.app 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Insidious.exepid Process 1968 Insidious.exe 1968 Insidious.exe 1968 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Insidious.exedescription pid Process Token: SeDebugPrivilege 1968 Insidious.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Nursultan.exedescription pid Process procid_target PID 1996 wrote to memory of 1968 1996 Nursultan.exe 83 PID 1996 wrote to memory of 1968 1996 Nursultan.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5bf315b4f45ed1773fcf9384a004df664
SHA1728d338d4889c1a92d4d5df7a8afb0bf2d4e73b1
SHA2568cd6840512dac2770f4960ed7e4291bbe6b655b5905f4bb751c9383ba827a822
SHA512f0b2cff9469f8935e0012ae68711d655c7d6d563f242da14565f153591f3d0d281c31123a99c913262915fb76cf3c2a027642bf43ff69b27289640c7e3339b6a