Analysis

  • max time kernel
    134s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 05:54

General

  • Target

    Nursultan.exe

  • Size

    1.4MB

  • MD5

    04dd1f99162ef231ab0c9d28d181e9d2

  • SHA1

    af9cb52510704981a6e3daeae61c617d711366ef

  • SHA256

    c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086

  • SHA512

    701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614

  • SSDEEP

    24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1245420777592062054/saI81XWOLJi1mJiEEt2FK-cyIKsq2Ayc-BlexWZ-2Fj0plrNSjRsNmF63M5uf5r_C7a0

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe

    Filesize

    303KB

    MD5

    bf315b4f45ed1773fcf9384a004df664

    SHA1

    728d338d4889c1a92d4d5df7a8afb0bf2d4e73b1

    SHA256

    8cd6840512dac2770f4960ed7e4291bbe6b655b5905f4bb751c9383ba827a822

    SHA512

    f0b2cff9469f8935e0012ae68711d655c7d6d563f242da14565f153591f3d0d281c31123a99c913262915fb76cf3c2a027642bf43ff69b27289640c7e3339b6a

  • memory/1968-13-0x00007FF816413000-0x00007FF816415000-memory.dmp

    Filesize

    8KB

  • memory/1968-12-0x000001BA99AC0000-0x000001BA99B12000-memory.dmp

    Filesize

    328KB

  • memory/1968-40-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

    Filesize

    10.8MB

  • memory/1968-45-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

    Filesize

    10.8MB

  • memory/1996-11-0x0000000000400000-0x0000000000572000-memory.dmp

    Filesize

    1.4MB