Overview

overview

10

Static

static

10

nurusltan fix.exe

windows7-x64

10

nurusltan fix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 13:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    nurusltan fix.exe

  • Size

    1.1MB

  • MD5

    0f353cf4b6e0fa3ec3c7bd6ba53eaff8

  • SHA1

    8c54eff890e1923b788f33dabc135dd6db859c79

  • SHA256

    fd18e5242413a22ef180736d054660b59d901c096fbd7b2f22b02b3b170da7b0

  • SHA512

    69c681a47a1313155f8536dcd9a14bc999a0f7f82ca8e20dcb2de3589599d0cadee495f2a91e5cb49dcad83a3b961bcbae1957ef45a8ead6384fd3d0b3c05199

  • SSDEEP

    24576:U2G/nvxW3Ww0t0zhLLXo2JkLajcBo6EFiUGxjt:UbA300zhAfScBxEyxZ

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nurusltan fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nurusltan fix.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Agentcomponentcommon\fbxuS96NMbe4n6JV.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Agentcomponentcommon\aRkefYu5ar9NpqNnsZyu3JG.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Agentcomponentcommon\Comref.exe
          "C:\Agentcomponentcommon\Comref.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\Comref.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Windows\de-DE\Comref.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\Comref.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2172
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Agentcomponentcommon\aRkefYu5ar9NpqNnsZyu3JG.bat
          Filesize

          36B

          MD5

          ee08f606810a583c666500b8fdfed16c

          SHA1

          4289bd99b380ef87a0abd52fa193bb584ad52947

          SHA256

          ac2f971e8a6049070d01bc35a9d4c2822ad1c168ae1c3ad4718026ded1ff7238

          SHA512

          673169fb2fd43884887c13d32152c1497425a5c489fd7902ec4758ea034e883470ba15299e25ecfd07bb238a849d314da13b8f1bf8c80f756c027da02f9e0472

          Download Submit

        • C:\Agentcomponentcommon\fbxuS96NMbe4n6JV.vbe
          Filesize

          220B

          MD5

          e5fc6c5feb954ae982e6dc11d76ee900

          SHA1

          2a62a21679c801b84ce372afb7c52e24c920dfe1

          SHA256

          e6805bd88f8107c2089e0c02357d30ceb175a49c9912a35e92565ed7f710c0ff

          SHA512

          93f102257a7cbd6b06ff1d25eeed708a9af45ebbc6f72c94db51f067aa891ce71da0b7babd00e72a0869eba760893b5fed2a7e4b7b2d9d5ea18a05555e222d2c

          Download Submit

        • \Agentcomponentcommon\Comref.exe
          Filesize

          828KB

          MD5

          365ce0dd2c67e94b054e6ac405ec42b5

          SHA1

          176629f99e1a7cbdf55b461b73699081d60f595a

          SHA256

          53ca3d012cb978aca3ed559714fc9f4bf8d10bb98d59222ccdc6e6986c4415c8

          SHA512

          e5efae843b9116bf950acfaedc28885768550ee8f3d972e193975d9daf4f4dc24d8f201dedc529a1d0a70d5556704243cd6e27ca9853c07537aa259ac40e74fe

          Download Submit

        • memory/768-34-0x0000000000A50000-0x0000000000B26000-memory.dmp

          Filesize

          856KB

          Download

        • memory/2748-13-0x0000000000220000-0x00000000002F6000-memory.dmp

          Filesize

          856KB

          Download