Overview

overview

10

Static

static

10

Nursultan.exe

windows7-x64

10

Nursultan.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan.exe

  • Size

    1.4MB

  • MD5

    1b6293c7f0dfed044b0eba8b98b0faff

  • SHA1

    e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a

  • SHA256

    fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8

  • SHA512

    694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5

  • SSDEEP

    24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9

Score
10/10
44caliberdcratinfostealerratstealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Hypercommon\ServercrtDll.exe
            "C:\Hypercommon\ServercrtDll.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xmbnVBQQ9f.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1992
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1040
                • C:\Program Files\Windows Journal\en-US\taskmgr.exe
                  "C:\Program Files\Windows Journal\en-US\taskmgr.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1536
      • C:\Users\Admin\AppData\Local\Temp\explorer.exe
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2320
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Hypercommon\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Hypercommon\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Hypercommon\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskmgrt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\taskmgr.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskmgr" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\taskmgr.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskmgrt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\taskmgr.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1128
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Hypercommon\Udwe1ynNPaETo.bat
      Filesize

      33B

      MD5

      1af82b77403306ff43f68bf7a0786c52

      SHA1

      730a3bd4b524ffa024657c1fc27ffd82e25f3f81

      SHA256

      e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96

      SHA512

      0e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1

      Download Submit

    • C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe
      Filesize

      201B

      MD5

      0f314eb5d52ce9cd85095eadff4f908c

      SHA1

      272d25d43f789dd5fad479ab31e96214f82302b3

      SHA256

      f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89

      SHA512

      471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\explorer.exe
      Filesize

      303KB

      MD5

      7d9282b8529bbb4ac06a3994fbcd0622

      SHA1

      d38d467c5e533f3bc247b6ed245fb08412a479d7

      SHA256

      ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9

      SHA512

      aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xmbnVBQQ9f.bat
      Filesize

      215B

      MD5

      3fa9f00629160b65613b1cc045fb1163

      SHA1

      e4c504510c128eaf0156e21ee6f349e2f19c6d89

      SHA256

      641bd27e13e6cbcd85200d8681860db65beb9fa14a2ed3aff82921f5abd71606

      SHA512

      7e575530effcbed1bbb48ec8ba1b80913c91e9c8c67984877edba500b0c2828b4a72a2a4dac3da88035f976087f4a880d5065c8304ec19a0ff7cf915b790b7c7

      Download Submit

    • \Hypercommon\ServercrtDll.exe
      Filesize

      828KB

      MD5

      801d5740c780d09b1cc6d971ce8b280f

      SHA1

      c7188e6f5998405d9dcbe83ce5d29267861be07d

      SHA256

      b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f

      SHA512

      3296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49

      Download Submit

    • \Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      1.1MB

      MD5

      3ee661f4a9794c72a91fa1f783f54969

      SHA1

      35780f52351da65b60cc63b302018950cbfe849f

      SHA256

      ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51

      SHA512

      0b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde

      Download Submit

    • memory/988-60-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/988-59-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1536-57-0x0000000001210000-0x00000000012E6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2164-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-1-0x0000000001050000-0x00000000011BC000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2320-22-0x0000000000AD0000-0x0000000000B22000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2396-31-0x0000000000D60000-0x0000000000E36000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2640-25-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-24-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-58-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download