Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 08:54

General

  • Target

    NursultanClient.exe

  • Size

    1.1MB

  • MD5

    81764a893234dd183185eb894c547a14

  • SHA1

    12cc7b4fd75bddaa99e98e87bbae70624e64407f

  • SHA256

    d7481cac8734f08d95bacc6aba8c846bc29edb591be84d85d2440a0f45dbba74

  • SHA512

    2b4c183378aa9c4bc38df76463ba76eebfeee32ccfe0642e87a28dd0eaa092de53b4ff1231414961510553ecc1ef7b3635507884ec249d566791886ff3fcc0a5

  • SSDEEP

    24576:U2G/nvxW3Ww0tQLbd7h6mxmtPKx6YBxAF6Ez0e:UbA30QLxwtjd

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\comcontainerWebmonitorsvc\QCOFmH7q.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\comcontainerWebmonitorsvc\msComref.exe
          "C:\comcontainerWebmonitorsvc\msComref.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3464
              • C:\comcontainerWebmonitorsvc\smss.exe
                "C:\comcontainerWebmonitorsvc\smss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2532
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msComref" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3924
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2cc 0x494
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat
      Filesize

      202B

      MD5

      4cfb60f96ca7582df30ff07b83ee88d9

      SHA1

      42b20cdc612153b2486fc5fc5843260e62554db2

      SHA256

      93392efb627c655a6e671097972d2f4e61c97d00e8e83e6892414004b6f1cb08

      SHA512

      fa01de79ab5ad3c3205621755862b48751a63af6fd3b72cef193859d50e7f12f65c97ab859ddb592541620e0d1c67b1aeaa31c345b2d77ff51fdda2bba29fea4

    • C:\comcontainerWebmonitorsvc\QCOFmH7q.bat
      Filesize

      43B

      MD5

      1f04f28016b88fe0c71d5d7be904d0ce

      SHA1

      f22967304324283edd54468044e9b90617bcf3a0

      SHA256

      194e7d5c20652a0a19a2c47f8018750b1f01484902253b80199c8fef8464d2c6

      SHA512

      c799facb2e2c3cbdd63a6d5208656895ee758681c99fda5bc11eaaddef0444a5c66b2129b99f4220520948735239d98a90bb74cd12ca2db7b266249b9e95f0bf

    • C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe
      Filesize

      210B

      MD5

      5bd22e3a313a58c06fb058125c190ff1

      SHA1

      b78f042be1130c3e7e53b1a6b307d81b04db7d1a

      SHA256

      678960f5a802c56907c17696dcf24032de0af466fc51c52acfc073acafdbf796

      SHA512

      9763aa6e18836687a35d864b11d5b393e5a894b9b2b2b0f807a2be09a3293629682b9a1203e9dc923f08cdbdb8d6b48f09eb1ea66fbe2b656b5debfa721727e8

    • C:\comcontainerWebmonitorsvc\msComref.exe
      Filesize

      826KB

      MD5

      7c8a8de9865281c8407416e925b3f891

      SHA1

      694341cbce25fca3ae33579ca5a9afbd7c255b3e

      SHA256

      dcf3590f05eb0b79fda8788f177a40432efee3c860a793ebaf84f47b40eb98a6

      SHA512

      46310a4675974226fbb4bb7ce522888aa58bed2147b658a8321fafbddc21f971c82c968d1de01334913c05c0d38ba62b6fb28ac5bd3d0a9fb588bc02c3f12aba

    • memory/2532-42-0x000000001C6E0000-0x000000001C78A000-memory.dmp
      Filesize

      680KB

    • memory/2532-41-0x000000001C570000-0x000000001C594000-memory.dmp
      Filesize

      144KB

    • memory/2632-25-0x0000000000460000-0x0000000000536000-memory.dmp
      Filesize

      856KB

    • memory/2680-20-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-16-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-15-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-14-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-17-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-18-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-19-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-10-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-9-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB

    • memory/2680-8-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
      Filesize

      4KB