General

  • Target

    nurpukan.exe

  • Size

    3.6MB

  • Sample

    240622-zh79qatcqa

  • MD5

    2e63d31a224b50b20cc132d3328b72c4

  • SHA1

    fa6ee7388b562e31e61e95083efa336352400301

  • SHA256

    40e30696d6ad195bd0b098a4fca8ef28b8853a5dee92a38d65dc39d90e940aeb

  • SHA512

    e2b7b43d61fe831af7994827a1374d29f71cc2aa505978448b074755b8252339ce38c4908de6727be6e40accca00b87c182fdeb9fea5733c839c2041b1a5ebf4

  • SSDEEP

    98304:Ub/suheUpJ461ABv8OqVGHnodeXuP+Nn5kefW7nLu:UDXZpDo0OqeodeXy+Nn2QWe

Malware Config

Targets

    • Target

      nurpukan.exe

    • Size

      3.6MB

    • MD5

      2e63d31a224b50b20cc132d3328b72c4

    • SHA1

      fa6ee7388b562e31e61e95083efa336352400301

    • SHA256

      40e30696d6ad195bd0b098a4fca8ef28b8853a5dee92a38d65dc39d90e940aeb

    • SHA512

      e2b7b43d61fe831af7994827a1374d29f71cc2aa505978448b074755b8252339ce38c4908de6727be6e40accca00b87c182fdeb9fea5733c839c2041b1a5ebf4

    • SSDEEP

      98304:Ub/suheUpJ461ABv8OqVGHnodeXuP+Nn5kefW7nLu:UDXZpDo0OqeodeXy+Nn2QWe

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks