Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 04:02
Behavioral task
behavioral1
Sample
NursultanLoader.exe
Resource
win11-20240426-en
General
-
Target
NursultanLoader.exe
-
Size
1.5MB
-
MD5
5841e08c36ee75ba2d4002507ceb9be8
-
SHA1
c679478e7041b2c3f0659403e87dc1bf011e7f2c
-
SHA256
85905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056
-
SHA512
2fdd014e5c128e7bb6112cc3facf50dd413dbb7d9e705d7c3b21dd0a9d4717281d1bdb62bf416ed1e651bea8177db3d3ae0b3ac6ba729e0eb9010e694d8d7744
-
SSDEEP
24576:U2G/nvxW3Ww0tQ++c2ARnuEWKoBc07UfctVGE9KnBvENv2ONSStxU:UbA30PiLKoJ5tsHnBMQgSStu
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3144 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 3144 schtasks.exe -
Processes:
resource yara_rule C:\SavesDllcommon\fontsaves.exe dcrat behavioral1/memory/4464-13-0x0000000000EA0000-0x0000000000FD2000-memory.dmp dcrat -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
fontsaves.execonhost.exeDelete System32.exeMeatspin_FULL.exepid process 4464 fontsaves.exe 3224 conhost.exe 2644 Delete System32.exe 2624 Meatspin_FULL.exe -
Drops file in Program Files directory 3 IoCs
Processes:
fontsaves.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe fontsaves.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\ebf1f9fa8afd6d fontsaves.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe fontsaves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4860 schtasks.exe 2028 schtasks.exe 844 schtasks.exe 1104 schtasks.exe 1696 schtasks.exe 4932 schtasks.exe 2708 schtasks.exe 3576 schtasks.exe 4128 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
NursultanLoader.exefontsaves.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings NursultanLoader.exe Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings fontsaves.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
fontsaves.execonhost.exepid process 4464 fontsaves.exe 4464 fontsaves.exe 4464 fontsaves.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe 3224 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 3224 conhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fontsaves.execonhost.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4464 fontsaves.exe Token: SeDebugPrivilege 3224 conhost.exe Token: 33 3160 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3160 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Delete System32.exepid process 2644 Delete System32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Delete System32.exepid process 2644 Delete System32.exe 2644 Delete System32.exe 2644 Delete System32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
NursultanLoader.exeWScript.execmd.exefontsaves.execmd.execonhost.exedescription pid process target process PID 2056 wrote to memory of 3148 2056 NursultanLoader.exe WScript.exe PID 2056 wrote to memory of 3148 2056 NursultanLoader.exe WScript.exe PID 2056 wrote to memory of 3148 2056 NursultanLoader.exe WScript.exe PID 3148 wrote to memory of 4076 3148 WScript.exe cmd.exe PID 3148 wrote to memory of 4076 3148 WScript.exe cmd.exe PID 3148 wrote to memory of 4076 3148 WScript.exe cmd.exe PID 4076 wrote to memory of 4464 4076 cmd.exe fontsaves.exe PID 4076 wrote to memory of 4464 4076 cmd.exe fontsaves.exe PID 4464 wrote to memory of 724 4464 fontsaves.exe cmd.exe PID 4464 wrote to memory of 724 4464 fontsaves.exe cmd.exe PID 724 wrote to memory of 3508 724 cmd.exe w32tm.exe PID 724 wrote to memory of 3508 724 cmd.exe w32tm.exe PID 724 wrote to memory of 3224 724 cmd.exe conhost.exe PID 724 wrote to memory of 3224 724 cmd.exe conhost.exe PID 3224 wrote to memory of 2644 3224 conhost.exe Delete System32.exe PID 3224 wrote to memory of 2644 3224 conhost.exe Delete System32.exe PID 3224 wrote to memory of 2644 3224 conhost.exe Delete System32.exe PID 3224 wrote to memory of 2624 3224 conhost.exe Meatspin_FULL.exe PID 3224 wrote to memory of 2624 3224 conhost.exe Meatspin_FULL.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe"C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\SavesDllcommon\fontsaves.exe"C:\SavesDllcommon\fontsaves.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0s5aAbSAde.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3508
-
C:\SavesDllcommon\conhost.exe"C:\SavesDllcommon\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\Delete System32.exe"C:\Users\Admin\AppData\Local\Temp\Delete System32.exe"7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"7⤵
- Executes dropped EXE
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\SavesDllcommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\SavesDllcommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\SavesDllcommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\SavesDllcommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\SavesDllcommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.batFilesize
33B
MD50a9ef172b5e9daeb9c3366842676eac9
SHA118ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2
SHA2564193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6
SHA512dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563
-
C:\SavesDllcommon\fontsaves.exeFilesize
1.2MB
MD573ace1b8b0f1b1c088f11ee29b13ae6b
SHA14b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc
SHA2568be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614
SHA5121e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1
-
C:\SavesDllcommon\gdNhr8l.vbeFilesize
216B
MD567750c3e2cc7970484d8e1f3e95c4454
SHA1b4a6e933dfda3db9a2663798f421a2b06a0c5b35
SHA256a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655
SHA512d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9
-
C:\Users\Admin\AppData\Local\Temp\0s5aAbSAde.batFilesize
194B
MD5b3033fea848da45648728ca002c3589c
SHA1dc32ffa87b9600a386fd8df265458b7bc94090f7
SHA2561dce24f4212eea77aec6fcea662f27bb6a36b4f57dd4de6723ba32652a1b7f84
SHA512010588168c9ac2988388bc28ba7da91015291ce6bb1d83b3b925f682b7966fc93eb7d2da7dcb39652ca2c19023cf5ab47856d0917950caeac403e3bc9be76676
-
C:\Users\Admin\AppData\Local\Temp\Delete System32.exeFilesize
500KB
MD507a9f858f9867f52163d7cec3bd899e3
SHA1d7feae9f88b807606b747a27ac95ede57b2615f5
SHA2560fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca
SHA512e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30
-
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exeFilesize
3.8MB
MD5137c1b0243beb35b6a0b6dbe632dc341
SHA1b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA25686cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA51249ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf
-
memory/2624-109-0x00000109406F0000-0x0000010940736000-memory.dmpFilesize
280KB
-
memory/2624-110-0x000001093FC90000-0x000001093FC99000-memory.dmpFilesize
36KB
-
memory/2624-111-0x000001093FCC0000-0x000001093FCCD000-memory.dmpFilesize
52KB
-
memory/2624-112-0x000001093FDE0000-0x000001093FDFE000-memory.dmpFilesize
120KB
-
memory/2624-113-0x000001093FE00000-0x000001093FE0B000-memory.dmpFilesize
44KB
-
memory/2624-103-0x00000109253A0000-0x0000010925764000-memory.dmpFilesize
3.8MB
-
memory/3224-35-0x000000001B990000-0x000000001B99D000-memory.dmpFilesize
52KB
-
memory/3224-37-0x000000001B9A0000-0x000000001B9AB000-memory.dmpFilesize
44KB
-
memory/3224-36-0x000000001C3A0000-0x000000001C3BE000-memory.dmpFilesize
120KB
-
memory/3224-34-0x000000001B450000-0x000000001B459000-memory.dmpFilesize
36KB
-
memory/3224-33-0x000000001C350000-0x000000001C396000-memory.dmpFilesize
280KB
-
memory/4464-16-0x000000001BD80000-0x000000001BD96000-memory.dmpFilesize
88KB
-
memory/4464-17-0x000000001BC40000-0x000000001BC4C000-memory.dmpFilesize
48KB
-
memory/4464-15-0x000000001BDD0000-0x000000001BE20000-memory.dmpFilesize
320KB
-
memory/4464-14-0x000000001BD60000-0x000000001BD7C000-memory.dmpFilesize
112KB
-
memory/4464-13-0x0000000000EA0000-0x0000000000FD2000-memory.dmpFilesize
1.2MB
-
memory/4464-12-0x00007FFDEFC33000-0x00007FFDEFC35000-memory.dmpFilesize
8KB