Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 11:00

General

  • Target

    Nursultan.exe

  • Size

    1.5MB

  • MD5

    4fb7892e812484f7da78dc9841581b19

  • SHA1

    618393c55273aae8107c2019a8f9a7e1f762b2d9

  • SHA256

    b9de413f47d732c1c909de90d3fd40fe5a0be4ed33846a5092aab934a178363c

  • SHA512

    24e924c2830070f0dc741f8377ddabde61db2b2a97068de167500b38d8dc89f8294c580409336821aec501a35b33df8b8d833b7a4bbb0733a78f333ae5b25129

  • SSDEEP

    24576:U2G/nvxW3Ww0tzACdNBrIW7w/eF+IwBtuEW9qlhSxfUx80M:UbA30zACdh7O5uBp/

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\AgentInto\de7nhIoigo88.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\AgentInto\HyperFont.exe
          "C:\AgentInto\HyperFont.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Recovery\WindowsRE\RuntimeBroker.exe
            "C:\Recovery\WindowsRE\RuntimeBroker.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "HyperFont" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "HyperFontH" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\HyperFont.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AgentInto\AXiDB20occ0ykAARiRUeicjUvbx6Sa.vbe
    Filesize

    198B

    MD5

    c2d6f5a54c7b1605d2168d1255d89ecd

    SHA1

    9ed454cf86b2919128e7ccc9084dce6a24551eae

    SHA256

    7fbee344f89a7bd94c85dae8908c6212dbb2b350ad6f56a0d12cf9f45303e36e

    SHA512

    ac638f1df9331c8708520916de9cef0532d738581044b30b9ea72ddbc00761588bf0305cc9b4d3780b898c4b0fe2fcd1bfc3218ffa70e61f9bf1820188e0ea57

  • C:\AgentInto\HyperFont.exe
    Filesize

    1.2MB

    MD5

    eb36fbb98f05ea2b594e002f49b8702c

    SHA1

    cfd09274452920b85361fa276de34553c6a4dfab

    SHA256

    cb2087b3c0c6de757c51386f0f01981b9fbfd44a75eed49e72dd04dfd43cea95

    SHA512

    16daace64ba80df85c6d49a73846f9469710e5d679e6a210b6d37bf22482bcd202d7d6849defebdcda68ed7237f276ec9322722120a9b1339616ebdd3c495eb5

  • C:\AgentInto\de7nhIoigo88.bat
    Filesize

    28B

    MD5

    4ab8c6b09f62a31811cefe90f489a83d

    SHA1

    7e99ff735e4ad293d695834525596653416053b1

    SHA256

    8cac86f00805566cce8c036b8a4d17b1c288d812d815733e1d53dffefe1985eb

    SHA512

    f9778041bdf2411ae267c42912de33213544dfc7326085190896218da35880b267d87ccee7cfc456ecba613491bd56becf061497ee740f0ecf7e026a1196b3e9

  • memory/2592-40-0x000000001BF80000-0x000000001BF92000-memory.dmp
    Filesize

    72KB

  • memory/3836-13-0x0000000000320000-0x000000000045E000-memory.dmp
    Filesize

    1.2MB

  • memory/3836-12-0x00007FFC70853000-0x00007FFC70855000-memory.dmp
    Filesize

    8KB

  • memory/3836-14-0x0000000002790000-0x00000000027AC000-memory.dmp
    Filesize

    112KB

  • memory/3836-16-0x00000000027B0000-0x00000000027C6000-memory.dmp
    Filesize

    88KB

  • memory/3836-15-0x000000001B740000-0x000000001B790000-memory.dmp
    Filesize

    320KB

  • memory/3836-17-0x00000000027D0000-0x00000000027E2000-memory.dmp
    Filesize

    72KB

  • memory/3836-18-0x000000001BCC0000-0x000000001C1E8000-memory.dmp
    Filesize

    5.2MB