Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 08:54
Behavioral task
behavioral1
Sample
NursultanClient.exe
Resource
win10v2004-20240508-en
General
-
Target
NursultanClient.exe
-
Size
1.1MB
-
MD5
81764a893234dd183185eb894c547a14
-
SHA1
12cc7b4fd75bddaa99e98e87bbae70624e64407f
-
SHA256
d7481cac8734f08d95bacc6aba8c846bc29edb591be84d85d2440a0f45dbba74
-
SHA512
2b4c183378aa9c4bc38df76463ba76eebfeee32ccfe0642e87a28dd0eaa092de53b4ff1231414961510553ecc1ef7b3635507884ec249d566791886ff3fcc0a5
-
SSDEEP
24576:U2G/nvxW3Ww0tQLbd7h6mxmtPKx6YBxAF6Ez0e:UbA30QLxwtjd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 4548 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4548 schtasks.exe -
Processes:
resource yara_rule C:\comcontainerWebmonitorsvc\msComref.exe dcrat behavioral1/memory/2632-25-0x0000000000460000-0x0000000000536000-memory.dmp dcrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NursultanClient.exeWScript.exemsComref.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation NursultanClient.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation msComref.exe -
Executes dropped EXE 2 IoCs
Processes:
msComref.exesmss.exepid process 2632 msComref.exe 2532 smss.exe -
Drops file in Program Files directory 3 IoCs
Processes:
msComref.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\upfc.exe msComref.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\upfc.exe msComref.exe File created C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115 msComref.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1124 schtasks.exe 3168 schtasks.exe 4048 schtasks.exe 2100 schtasks.exe 1084 schtasks.exe 3144 schtasks.exe 1428 schtasks.exe 1648 schtasks.exe 3924 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
NursultanClient.exemsComref.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings NursultanClient.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msComref.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
taskmgr.exemsComref.exesmss.exepid process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2632 msComref.exe 2632 msComref.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2532 smss.exe 2680 taskmgr.exe 2680 taskmgr.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2532 smss.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 2532 smss.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskmgr.exemsComref.exesmss.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2680 taskmgr.exe Token: SeSystemProfilePrivilege 2680 taskmgr.exe Token: SeCreateGlobalPrivilege 2680 taskmgr.exe Token: SeDebugPrivilege 2632 msComref.exe Token: SeDebugPrivilege 2532 smss.exe Token: 33 2680 taskmgr.exe Token: SeIncBasePriorityPrivilege 2680 taskmgr.exe Token: 33 4536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4536 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
taskmgr.exepid process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
Processes:
taskmgr.exepid process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
NursultanClient.exeWScript.execmd.exemsComref.execmd.exedescription pid process target process PID 1684 wrote to memory of 4152 1684 NursultanClient.exe WScript.exe PID 1684 wrote to memory of 4152 1684 NursultanClient.exe WScript.exe PID 1684 wrote to memory of 4152 1684 NursultanClient.exe WScript.exe PID 4152 wrote to memory of 448 4152 WScript.exe cmd.exe PID 4152 wrote to memory of 448 4152 WScript.exe cmd.exe PID 4152 wrote to memory of 448 4152 WScript.exe cmd.exe PID 448 wrote to memory of 2632 448 cmd.exe msComref.exe PID 448 wrote to memory of 2632 448 cmd.exe msComref.exe PID 2632 wrote to memory of 4516 2632 msComref.exe cmd.exe PID 2632 wrote to memory of 4516 2632 msComref.exe cmd.exe PID 4516 wrote to memory of 3464 4516 cmd.exe w32tm.exe PID 4516 wrote to memory of 3464 4516 cmd.exe w32tm.exe PID 4516 wrote to memory of 2532 4516 cmd.exe smss.exe PID 4516 wrote to memory of 2532 4516 cmd.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\comcontainerWebmonitorsvc\QCOFmH7q.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\comcontainerWebmonitorsvc\msComref.exe"C:\comcontainerWebmonitorsvc\msComref.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3464
-
C:\comcontainerWebmonitorsvc\smss.exe"C:\comcontainerWebmonitorsvc\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msComref" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2cc 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.batFilesize
202B
MD54cfb60f96ca7582df30ff07b83ee88d9
SHA142b20cdc612153b2486fc5fc5843260e62554db2
SHA25693392efb627c655a6e671097972d2f4e61c97d00e8e83e6892414004b6f1cb08
SHA512fa01de79ab5ad3c3205621755862b48751a63af6fd3b72cef193859d50e7f12f65c97ab859ddb592541620e0d1c67b1aeaa31c345b2d77ff51fdda2bba29fea4
-
C:\comcontainerWebmonitorsvc\QCOFmH7q.batFilesize
43B
MD51f04f28016b88fe0c71d5d7be904d0ce
SHA1f22967304324283edd54468044e9b90617bcf3a0
SHA256194e7d5c20652a0a19a2c47f8018750b1f01484902253b80199c8fef8464d2c6
SHA512c799facb2e2c3cbdd63a6d5208656895ee758681c99fda5bc11eaaddef0444a5c66b2129b99f4220520948735239d98a90bb74cd12ca2db7b266249b9e95f0bf
-
C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbeFilesize
210B
MD55bd22e3a313a58c06fb058125c190ff1
SHA1b78f042be1130c3e7e53b1a6b307d81b04db7d1a
SHA256678960f5a802c56907c17696dcf24032de0af466fc51c52acfc073acafdbf796
SHA5129763aa6e18836687a35d864b11d5b393e5a894b9b2b2b0f807a2be09a3293629682b9a1203e9dc923f08cdbdb8d6b48f09eb1ea66fbe2b656b5debfa721727e8
-
C:\comcontainerWebmonitorsvc\msComref.exeFilesize
826KB
MD57c8a8de9865281c8407416e925b3f891
SHA1694341cbce25fca3ae33579ca5a9afbd7c255b3e
SHA256dcf3590f05eb0b79fda8788f177a40432efee3c860a793ebaf84f47b40eb98a6
SHA51246310a4675974226fbb4bb7ce522888aa58bed2147b658a8321fafbddc21f971c82c968d1de01334913c05c0d38ba62b6fb28ac5bd3d0a9fb588bc02c3f12aba
-
memory/2532-42-0x000000001C6E0000-0x000000001C78A000-memory.dmpFilesize
680KB
-
memory/2532-41-0x000000001C570000-0x000000001C594000-memory.dmpFilesize
144KB
-
memory/2632-25-0x0000000000460000-0x0000000000536000-memory.dmpFilesize
856KB
-
memory/2680-20-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-16-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-15-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-14-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-17-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-18-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-19-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-10-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-9-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB
-
memory/2680-8-0x000001EC135A0000-0x000001EC135A1000-memory.dmpFilesize
4KB