Analysis

  • max time kernel
    590s
  • max time network
    601s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 15:19

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\portagentbrowserweb\cmd.exe
            "C:\portagentbrowserweb\cmd.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe
              "C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe"
              6⤵
              • Executes dropped EXE
              PID:736
            • C:\Users\Admin\AppData\Local\Temp\MemZ.exe
              "C:\Users\Admin\AppData\Local\Temp\MemZ.exe"
              6⤵
              • Executes dropped EXE
              PID:2960
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:1320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1900
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4932
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2900
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1652
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:3080
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3812
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3980
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:700
    • C:\Users\Admin\Cookies\RuntimeBroker.exe
      C:\Users\Admin\Cookies\RuntimeBroker.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\portagentbrowserweb\cmd.exe
      C:\portagentbrowserweb\cmd.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1244
    • C:\Program Files (x86)\Google\Temp\lsass.exe
      "C:\Program Files (x86)\Google\Temp\lsass.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MemZ.exe
      Filesize

      10KB

      MD5

      424755b9f13cdb742d503836bf09e63e

      SHA1

      b4cdc234fdca58519edf14fa3b0bb3a522249440

      SHA256

      e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56

      SHA512

      29dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7

    • C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe
      Filesize

      578KB

      MD5

      c79991b2359aede893bcd2e0a962378d

      SHA1

      80ae9ddcdebe17c2af22c33ac1137d1811dbb0af

      SHA256

      5b706a3df72925ddcde585b41a82d76dda513d86b81d7d527f2990d5fd5218b6

      SHA512

      51f9274d30ba40a434fbc7930a8bbb0f9b75bb9184bcb35bf227761df71587bbfde28157a4e7ac29e1d119509dfd5882bef478d1bd3f6cbe813748077dbfcdb6

    • C:\Windows\Debug\WIA\wiatrace.log
      Filesize

      2KB

      MD5

      340b78795385833955856bbc35168ab4

      SHA1

      0eff6d3568a4c0a08fa63e64270a8e992e608323

      SHA256

      73200e842ffedcd51958171143f85dacfca98a4719cb10ffa71a34c65b026032

      SHA512

      21f2883dde27c6520116f4000ea7b4dfb8c7b8be8de953d13bc1a6caa55000176710b7e166ac9cc31bc786f3b23049d957f1f9167d99f6e4ebfc6670f6e95846

    • C:\Windows\Debug\WIA\wiatrace.log
      Filesize

      3KB

      MD5

      6fcf80bf6c7e2cf9dad0f8b61f4e4671

      SHA1

      bf0083943118dfeed0e76748cdc395cf73e3433b

      SHA256

      1e049f0db03a3cc3f563452a87a041f587e96ee745aca5600a9fd13955816897

      SHA512

      b49f7af780edaa9a3d0d4108d9ca5f2662e17b5e886ed5d617f1f981d54947eb2f661e121ff76fc44afb4004bed01a18b61f0f01cf59640cb5d47ca24ed11fa5

    • C:\Windows\Debug\WIA\wiatrace.log
      Filesize

      4KB

      MD5

      d943abc80ab89c23a92a39dfb4c236af

      SHA1

      fc0ed0290513c33bca1297beba7b36c6ca245391

      SHA256

      8a18b888142322b3be37ff134d87fa49b88f14fb762348d30f1590547b1de11a

      SHA512

      41ce434ca1c1805c179098c893205f218b190418ef528d85efd594a903edf8960da11f11565d435c7ab67e7e3c60efb4b0afede66bead5e77c9cf66e8b86d52b

    • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
      Filesize

      157B

      MD5

      c8f8a078dace2ff4cb106803c9199643

      SHA1

      a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

      SHA256

      1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

      SHA512

      efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

    • C:\portagentbrowserweb\Containerruntime.exe
      Filesize

      1.2MB

      MD5

      5887a563351ca99247b7e2c448bd9f2e

      SHA1

      b24695e88143863297535989900bb7521ea86d67

      SHA256

      e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

      SHA512

      b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

    • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
      Filesize

      220B

      MD5

      61a07f2f9e8e9b1f5175b2d60c3e3f18

      SHA1

      e695b0c2b43c786453bf3f6ae504f0626951d281

      SHA256

      5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

      SHA512

      8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

    • memory/736-116-0x00000000009B0000-0x0000000000A46000-memory.dmp
      Filesize

      600KB

    • memory/2688-13-0x00000000008F0000-0x0000000000A22000-memory.dmp
      Filesize

      1.2MB

    • memory/2688-17-0x000000001B570000-0x000000001B57C000-memory.dmp
      Filesize

      48KB

    • memory/2688-16-0x000000001B550000-0x000000001B566000-memory.dmp
      Filesize

      88KB

    • memory/2688-15-0x000000001B5A0000-0x000000001B5F0000-memory.dmp
      Filesize

      320KB

    • memory/2688-14-0x0000000002AB0000-0x0000000002ACC000-memory.dmp
      Filesize

      112KB

    • memory/2688-12-0x00007FFF5D873000-0x00007FFF5D875000-memory.dmp
      Filesize

      8KB

    • memory/2960-129-0x0000000000A30000-0x0000000000A38000-memory.dmp
      Filesize

      32KB