Analysis
-
max time kernel
126s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 11:00
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Nursultan.exe
Resource
win10v2004-20240611-en
General
-
Target
Nursultan.exe
-
Size
1.5MB
-
MD5
4fb7892e812484f7da78dc9841581b19
-
SHA1
618393c55273aae8107c2019a8f9a7e1f762b2d9
-
SHA256
b9de413f47d732c1c909de90d3fd40fe5a0be4ed33846a5092aab934a178363c
-
SHA512
24e924c2830070f0dc741f8377ddabde61db2b2a97068de167500b38d8dc89f8294c580409336821aec501a35b33df8b8d833b7a4bbb0733a78f333ae5b25129
-
SSDEEP
24576:U2G/nvxW3Ww0tzACdNBrIW7w/eF+IwBtuEW9qlhSxfUx80M:UbA30zACdh7O5uBp/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2528 schtasks.exe -
Processes:
resource yara_rule \AgentInto\HyperFont.exe dcrat behavioral1/memory/2692-13-0x0000000000970000-0x0000000000AAE000-memory.dmp dcrat behavioral1/memory/2100-40-0x00000000013D0000-0x000000000150E000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
HyperFont.exeservices.exepid process 2692 HyperFont.exe 2100 services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2708 cmd.exe 2708 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io 7 ipinfo.io -
Drops file in Program Files directory 9 IoCs
Processes:
HyperFont.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe HyperFont.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088 HyperFont.exe File created C:\Program Files\Windows Mail\de-DE\HyperFont.exe HyperFont.exe File created C:\Program Files\Windows Portable Devices\cmd.exe HyperFont.exe File created C:\Program Files\DVD Maker\de-DE\explorer.exe HyperFont.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe HyperFont.exe File created C:\Program Files\Windows Mail\de-DE\b92a2747531d0b HyperFont.exe File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d HyperFont.exe File created C:\Program Files\DVD Maker\de-DE\7a0fd90576e088 HyperFont.exe -
Drops file in Windows directory 2 IoCs
Processes:
HyperFont.exedescription ioc process File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe HyperFont.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\6ccacd8608530f HyperFont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
services.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\MuiCache services.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1632 schtasks.exe 1968 schtasks.exe 1636 schtasks.exe 2076 schtasks.exe 2424 schtasks.exe 2972 schtasks.exe 1676 schtasks.exe 1964 schtasks.exe 1092 schtasks.exe 2864 schtasks.exe 2108 schtasks.exe 2676 schtasks.exe 2616 schtasks.exe 2432 schtasks.exe 2984 schtasks.exe 2764 schtasks.exe 2476 schtasks.exe 1556 schtasks.exe 1772 schtasks.exe 2524 schtasks.exe 2832 schtasks.exe 2316 schtasks.exe 1264 schtasks.exe 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
HyperFont.exeservices.exepid process 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2692 HyperFont.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe 2100 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
services.exepid process 2100 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HyperFont.exeservices.exedescription pid process Token: SeDebugPrivilege 2692 HyperFont.exe Token: SeDebugPrivilege 2100 services.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Nursultan.exeWScript.execmd.exeHyperFont.execmd.exedescription pid process target process PID 2944 wrote to memory of 2820 2944 Nursultan.exe WScript.exe PID 2944 wrote to memory of 2820 2944 Nursultan.exe WScript.exe PID 2944 wrote to memory of 2820 2944 Nursultan.exe WScript.exe PID 2944 wrote to memory of 2820 2944 Nursultan.exe WScript.exe PID 2820 wrote to memory of 2708 2820 WScript.exe cmd.exe PID 2820 wrote to memory of 2708 2820 WScript.exe cmd.exe PID 2820 wrote to memory of 2708 2820 WScript.exe cmd.exe PID 2820 wrote to memory of 2708 2820 WScript.exe cmd.exe PID 2708 wrote to memory of 2692 2708 cmd.exe HyperFont.exe PID 2708 wrote to memory of 2692 2708 cmd.exe HyperFont.exe PID 2708 wrote to memory of 2692 2708 cmd.exe HyperFont.exe PID 2708 wrote to memory of 2692 2708 cmd.exe HyperFont.exe PID 2692 wrote to memory of 1904 2692 HyperFont.exe cmd.exe PID 2692 wrote to memory of 1904 2692 HyperFont.exe cmd.exe PID 2692 wrote to memory of 1904 2692 HyperFont.exe cmd.exe PID 1904 wrote to memory of 2928 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2928 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2928 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2100 1904 cmd.exe services.exe PID 1904 wrote to memory of 2100 1904 cmd.exe services.exe PID 1904 wrote to memory of 2100 1904 cmd.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\AgentInto\de7nhIoigo88.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\AgentInto\HyperFont.exe"C:\AgentInto\HyperFont.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uYFGqRHMz8.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2928
-
C:\Users\Admin\Favorites\Links\services.exe"C:\Users\Admin\Favorites\Links\services.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbeFilesize
198B
MD5c2d6f5a54c7b1605d2168d1255d89ecd
SHA19ed454cf86b2919128e7ccc9084dce6a24551eae
SHA2567fbee344f89a7bd94c85dae8908c6212dbb2b350ad6f56a0d12cf9f45303e36e
SHA512ac638f1df9331c8708520916de9cef0532d738581044b30b9ea72ddbc00761588bf0305cc9b4d3780b898c4b0fe2fcd1bfc3218ffa70e61f9bf1820188e0ea57
-
C:\AgentInto\de7nhIoigo88.batFilesize
28B
MD54ab8c6b09f62a31811cefe90f489a83d
SHA17e99ff735e4ad293d695834525596653416053b1
SHA2568cac86f00805566cce8c036b8a4d17b1c288d812d815733e1d53dffefe1985eb
SHA512f9778041bdf2411ae267c42912de33213544dfc7326085190896218da35880b267d87ccee7cfc456ecba613491bd56becf061497ee740f0ecf7e026a1196b3e9
-
C:\Users\Admin\AppData\Local\Temp\uYFGqRHMz8.batFilesize
208B
MD563a30809bbfe0b27263249513e9c0463
SHA18e854c49cfc94f021625b3f87ecb18ff077eb1a9
SHA2564c4ea7a895ffdb2d5827afc656acd8e92e167d5f36605c07a03dcc9d9c300713
SHA512d218f243cef9858c15f9f1ff1d618d4babba56bc554580018dec4e96c949d42b99c261149c45b4f11dfdbb0eb183a52cad255ab04740a7d2c27153176caa7e83
-
\AgentInto\HyperFont.exeFilesize
1.2MB
MD5eb36fbb98f05ea2b594e002f49b8702c
SHA1cfd09274452920b85361fa276de34553c6a4dfab
SHA256cb2087b3c0c6de757c51386f0f01981b9fbfd44a75eed49e72dd04dfd43cea95
SHA51216daace64ba80df85c6d49a73846f9469710e5d679e6a210b6d37bf22482bcd202d7d6849defebdcda68ed7237f276ec9322722120a9b1339616ebdd3c495eb5
-
memory/2100-40-0x00000000013D0000-0x000000000150E000-memory.dmpFilesize
1.2MB
-
memory/2100-41-0x0000000000200000-0x0000000000212000-memory.dmpFilesize
72KB
-
memory/2692-13-0x0000000000970000-0x0000000000AAE000-memory.dmpFilesize
1.2MB
-
memory/2692-14-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/2692-15-0x0000000000390000-0x00000000003A6000-memory.dmpFilesize
88KB
-
memory/2692-16-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB