Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 11:00
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Nursultan.exe
Resource
win10v2004-20240611-en
General
-
Target
Nursultan.exe
-
Size
1.5MB
-
MD5
4fb7892e812484f7da78dc9841581b19
-
SHA1
618393c55273aae8107c2019a8f9a7e1f762b2d9
-
SHA256
b9de413f47d732c1c909de90d3fd40fe5a0be4ed33846a5092aab934a178363c
-
SHA512
24e924c2830070f0dc741f8377ddabde61db2b2a97068de167500b38d8dc89f8294c580409336821aec501a35b33df8b8d833b7a4bbb0733a78f333ae5b25129
-
SSDEEP
24576:U2G/nvxW3Ww0tzACdNBrIW7w/eF+IwBtuEW9qlhSxfUx80M:UbA30zACdh7O5uBp/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2192 schtasks.exe -
Processes:
resource yara_rule C:\AgentInto\HyperFont.exe dcrat behavioral2/memory/3836-13-0x0000000000320000-0x000000000045E000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nursultan.exeWScript.exeHyperFont.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Nursultan.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation HyperFont.exe -
Executes dropped EXE 2 IoCs
Processes:
HyperFont.exeRuntimeBroker.exepid process 3836 HyperFont.exe 2592 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 ipinfo.io 29 ipinfo.io -
Drops file in Program Files directory 4 IoCs
Processes:
HyperFont.exedescription ioc process File created C:\Program Files\Windows Mail\ea1d8f6d871115 HyperFont.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe HyperFont.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\b92a2747531d0b HyperFont.exe File created C:\Program Files\Windows Mail\upfc.exe HyperFont.exe -
Drops file in Windows directory 2 IoCs
Processes:
HyperFont.exedescription ioc process File created C:\Windows\Provisioning\Autopilot\csrss.exe HyperFont.exe File created C:\Windows\Provisioning\Autopilot\886983d96e3d3e HyperFont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Nursultan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings Nursultan.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3556 schtasks.exe 3660 schtasks.exe 1304 schtasks.exe 1560 schtasks.exe 1412 schtasks.exe 2696 schtasks.exe 2260 schtasks.exe 1216 schtasks.exe 1756 schtasks.exe 1240 schtasks.exe 1332 schtasks.exe 3236 schtasks.exe 2944 schtasks.exe 2732 schtasks.exe 4424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
HyperFont.exeRuntimeBroker.exepid process 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 3836 HyperFont.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe 2592 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 2592 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HyperFont.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3836 HyperFont.exe Token: SeDebugPrivilege 2592 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Nursultan.exeWScript.execmd.exeHyperFont.exedescription pid process target process PID 220 wrote to memory of 2512 220 Nursultan.exe WScript.exe PID 220 wrote to memory of 2512 220 Nursultan.exe WScript.exe PID 220 wrote to memory of 2512 220 Nursultan.exe WScript.exe PID 2512 wrote to memory of 1808 2512 WScript.exe cmd.exe PID 2512 wrote to memory of 1808 2512 WScript.exe cmd.exe PID 2512 wrote to memory of 1808 2512 WScript.exe cmd.exe PID 1808 wrote to memory of 3836 1808 cmd.exe HyperFont.exe PID 1808 wrote to memory of 3836 1808 cmd.exe HyperFont.exe PID 3836 wrote to memory of 2592 3836 HyperFont.exe RuntimeBroker.exe PID 3836 wrote to memory of 2592 3836 HyperFont.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AgentInto\de7nhIoigo88.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\AgentInto\HyperFont.exe"C:\AgentInto\HyperFont.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbeFilesize
198B
MD5c2d6f5a54c7b1605d2168d1255d89ecd
SHA19ed454cf86b2919128e7ccc9084dce6a24551eae
SHA2567fbee344f89a7bd94c85dae8908c6212dbb2b350ad6f56a0d12cf9f45303e36e
SHA512ac638f1df9331c8708520916de9cef0532d738581044b30b9ea72ddbc00761588bf0305cc9b4d3780b898c4b0fe2fcd1bfc3218ffa70e61f9bf1820188e0ea57
-
C:\AgentInto\HyperFont.exeFilesize
1.2MB
MD5eb36fbb98f05ea2b594e002f49b8702c
SHA1cfd09274452920b85361fa276de34553c6a4dfab
SHA256cb2087b3c0c6de757c51386f0f01981b9fbfd44a75eed49e72dd04dfd43cea95
SHA51216daace64ba80df85c6d49a73846f9469710e5d679e6a210b6d37bf22482bcd202d7d6849defebdcda68ed7237f276ec9322722120a9b1339616ebdd3c495eb5
-
C:\AgentInto\de7nhIoigo88.batFilesize
28B
MD54ab8c6b09f62a31811cefe90f489a83d
SHA17e99ff735e4ad293d695834525596653416053b1
SHA2568cac86f00805566cce8c036b8a4d17b1c288d812d815733e1d53dffefe1985eb
SHA512f9778041bdf2411ae267c42912de33213544dfc7326085190896218da35880b267d87ccee7cfc456ecba613491bd56becf061497ee740f0ecf7e026a1196b3e9
-
memory/2592-40-0x000000001BF80000-0x000000001BF92000-memory.dmpFilesize
72KB
-
memory/3836-13-0x0000000000320000-0x000000000045E000-memory.dmpFilesize
1.2MB
-
memory/3836-12-0x00007FFC70853000-0x00007FFC70855000-memory.dmpFilesize
8KB
-
memory/3836-14-0x0000000002790000-0x00000000027AC000-memory.dmpFilesize
112KB
-
memory/3836-16-0x00000000027B0000-0x00000000027C6000-memory.dmpFilesize
88KB
-
memory/3836-15-0x000000001B740000-0x000000001B790000-memory.dmpFilesize
320KB
-
memory/3836-17-0x00000000027D0000-0x00000000027E2000-memory.dmpFilesize
72KB
-
memory/3836-18-0x000000001BCC0000-0x000000001C1E8000-memory.dmpFilesize
5.2MB