Analysis

  • max time kernel
    126s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 11:00

General

  • Target

    Nursultan.exe

  • Size

    1.5MB

  • MD5

    4fb7892e812484f7da78dc9841581b19

  • SHA1

    618393c55273aae8107c2019a8f9a7e1f762b2d9

  • SHA256

    b9de413f47d732c1c909de90d3fd40fe5a0be4ed33846a5092aab934a178363c

  • SHA512

    24e924c2830070f0dc741f8377ddabde61db2b2a97068de167500b38d8dc89f8294c580409336821aec501a35b33df8b8d833b7a4bbb0733a78f333ae5b25129

  • SSDEEP

    24576:U2G/nvxW3Ww0tzACdNBrIW7w/eF+IwBtuEW9qlhSxfUx80M:UbA30zACdh7O5uBp/

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\AgentInto\de7nhIoigo88.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\AgentInto\HyperFont.exe
          "C:\AgentInto\HyperFont.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uYFGqRHMz8.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2928
              • C:\Users\Admin\Favorites\Links\services.exe
                "C:\Users\Admin\Favorites\Links\services.exe"
                6⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\HyperFont.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HyperFont.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe
      Filesize

      198B

      MD5

      c2d6f5a54c7b1605d2168d1255d89ecd

      SHA1

      9ed454cf86b2919128e7ccc9084dce6a24551eae

      SHA256

      7fbee344f89a7bd94c85dae8908c6212dbb2b350ad6f56a0d12cf9f45303e36e

      SHA512

      ac638f1df9331c8708520916de9cef0532d738581044b30b9ea72ddbc00761588bf0305cc9b4d3780b898c4b0fe2fcd1bfc3218ffa70e61f9bf1820188e0ea57

    • C:\AgentInto\de7nhIoigo88.bat
      Filesize

      28B

      MD5

      4ab8c6b09f62a31811cefe90f489a83d

      SHA1

      7e99ff735e4ad293d695834525596653416053b1

      SHA256

      8cac86f00805566cce8c036b8a4d17b1c288d812d815733e1d53dffefe1985eb

      SHA512

      f9778041bdf2411ae267c42912de33213544dfc7326085190896218da35880b267d87ccee7cfc456ecba613491bd56becf061497ee740f0ecf7e026a1196b3e9

    • C:\Users\Admin\AppData\Local\Temp\uYFGqRHMz8.bat
      Filesize

      208B

      MD5

      63a30809bbfe0b27263249513e9c0463

      SHA1

      8e854c49cfc94f021625b3f87ecb18ff077eb1a9

      SHA256

      4c4ea7a895ffdb2d5827afc656acd8e92e167d5f36605c07a03dcc9d9c300713

      SHA512

      d218f243cef9858c15f9f1ff1d618d4babba56bc554580018dec4e96c949d42b99c261149c45b4f11dfdbb0eb183a52cad255ab04740a7d2c27153176caa7e83

    • \AgentInto\HyperFont.exe
      Filesize

      1.2MB

      MD5

      eb36fbb98f05ea2b594e002f49b8702c

      SHA1

      cfd09274452920b85361fa276de34553c6a4dfab

      SHA256

      cb2087b3c0c6de757c51386f0f01981b9fbfd44a75eed49e72dd04dfd43cea95

      SHA512

      16daace64ba80df85c6d49a73846f9469710e5d679e6a210b6d37bf22482bcd202d7d6849defebdcda68ed7237f276ec9322722120a9b1339616ebdd3c495eb5

    • memory/2100-40-0x00000000013D0000-0x000000000150E000-memory.dmp
      Filesize

      1.2MB

    • memory/2100-41-0x0000000000200000-0x0000000000212000-memory.dmp
      Filesize

      72KB

    • memory/2692-13-0x0000000000970000-0x0000000000AAE000-memory.dmp
      Filesize

      1.2MB

    • memory/2692-14-0x0000000000140000-0x000000000015C000-memory.dmp
      Filesize

      112KB

    • memory/2692-15-0x0000000000390000-0x00000000003A6000-memory.dmp
      Filesize

      88KB

    • memory/2692-16-0x0000000000160000-0x0000000000172000-memory.dmp
      Filesize

      72KB