Analysis

  • max time kernel
    69s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 16:29

General

  • Target

    Nurik Nextgen.zip

  • Size

    18.3MB

  • MD5

    3fc9a11e02cb42d213d905f1d8ad6fa0

  • SHA1

    209513a3c96a5afa02987a792ba23d61bcffcb75

  • SHA256

    5080fde04d9c1a84629ef9115de89032f4648865a763b759e03140c82e55ef03

  • SHA512

    0de34b6a34f4aadcddbb0bd37e337e21f3e641a70396491d430879a3192459b754a1d403417e8c5477d613afe0073440fe961d3f00e109075620895407902d86

  • SSDEEP

    393216:VbXvrdREZMNsYJFJxcTT45MczYrjpJViNyBBJNPrNf4H75o:FBREZMhd0T4dYHNHBB3PtW7a

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"
    1⤵
      PID:4088
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2196
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2556
      • C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe
        "C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3232
            • C:\ProviderdriverIntocommon\blocksavesdll.exe
              "C:\ProviderdriverIntocommon\blocksavesdll.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1572
              • C:\ProviderdriverIntocommon\backgroundTaskHost.exe
                "C:\ProviderdriverIntocommon\backgroundTaskHost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1112
      • C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat
        "C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\DS8loQgAzvz4hzGOlT2oxco7LQ.vbe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\z4jwrAxpUhCGOKjWHl3LLujwq0.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\ProviderdriverIntocommon\blocksavesdll.exe
              "C:\ProviderdriverIntocommon\blocksavesdll.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nurik Nextgen\Read Me.txt
        1⤵
          PID:1788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4484
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProviderdriverIntocommon\88xPq.vbe

          Filesize

          208B

          MD5

          b564930885f2d5234f25eb8251f32a39

          SHA1

          dd29e4edd586ec9f224494a3acac72e463b03496

          SHA256

          fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c

          SHA512

          2f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907

        • C:\ProviderdriverIntocommon\DS8loQgAzvz4hzGOlT2oxco7LQ.vbe

          Filesize

          228B

          MD5

          e7ffce41b3ee681c84684a0102afc208

          SHA1

          927758d2e6c11efc9591e454d2292bff168bc029

          SHA256

          e822fe09d88314279cfb16bd6fc3ab36d1d829dc8e9abdc35c6c0ee235fffea6

          SHA512

          15958b53273fdea2714a751dc429d463648038913fe49a9ab4c66c7de11e69b5140bc6bc77bd46f018b3881c12e32f2dba9e825f64337d86a1130894ea1392b9

        • C:\ProviderdriverIntocommon\agbLTe.bat

          Filesize

          47B

          MD5

          3a8731fb4a1c8ac840d9da87b0fabc01

          SHA1

          589cd7631e9487d7287028a9b5e3011ddeb93b02

          SHA256

          bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353

          SHA512

          2582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb

        • C:\ProviderdriverIntocommon\blocksavesdll.exe

          Filesize

          1.3MB

          MD5

          8315d7b620a490b70605d3eb8ff5aacf

          SHA1

          1b3ffd2ad0d9ac4c544089389468b68893d5cb2b

          SHA256

          fd9756282d79eff3fab007965ef93412eb774c26ee51a944fae43c3d7e8466ee

          SHA512

          3d48e50a56222e1929b0dd7da754f854b8e95d756ef9ccdd13e71554d4fbf984816869d6cd3990b0a2be3946bea9665c162d9b95915a71da219c8cf3eca8c9f5

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blocksavesdll.exe.log

          Filesize

          1KB

          MD5

          7800fca2323a4130444c572374a030f4

          SHA1

          40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

          SHA256

          29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

          SHA512

          c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

        • C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe

          Filesize

          1.7MB

          MD5

          01e38e791b2dcba64ee53f97b6e4059c

          SHA1

          b732849edbab22895fbf0b4e6caba3f4d5006081

          SHA256

          b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158

          SHA512

          0a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65

        • C:\Users\Admin\Desktop\Nurik Nextgen\Read Me.txt

          Filesize

          298B

          MD5

          c407fc8e8fa5835b0b37670a9c5f121f

          SHA1

          f85b910cb93eb9c8df19eafcfc953c8e6dcd51c5

          SHA256

          4c13d1b2a5986ddb0773ab95e91bd1ece263d838ffda35508940a7924ae8e331

          SHA512

          5a9a0a8dc3ec19ba53d5a6ed1f1fe41d06bfb29d2dfa3ca2311f223536dbb2250ed6277abbe0e0cefd6ac30a14633efc05d89fa7812c03dd6f872b194bce212c

        • C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat

          Filesize

          1.6MB

          MD5

          d66e9e4f15a2067b4b6c9c1ca79cdc57

          SHA1

          c8b3d637128e269624cc0f154dd4624ded00faa4

          SHA256

          4c63d03073231b403a1b76acfbecb3c291f381092b3f3054ccfa2d651b6ce5d2

          SHA512

          26aca6854e46cc8bc65b348654641191c61f920a02ded64f86f7433b5c277d9c00eecc1effd1dbb8dad978d970b53fcad1624f5e804bab1b5c3662160d6b97da

        • memory/1112-144-0x000000001E840000-0x000000001ED68000-memory.dmp

          Filesize

          5.2MB

        • memory/1112-143-0x000000001D190000-0x000000001D352000-memory.dmp

          Filesize

          1.8MB

        • memory/1572-101-0x0000000001730000-0x000000000173E000-memory.dmp

          Filesize

          56KB

        • memory/1572-104-0x000000001BAA0000-0x000000001BAB6000-memory.dmp

          Filesize

          88KB

        • memory/1572-105-0x0000000003090000-0x00000000030A0000-memory.dmp

          Filesize

          64KB

        • memory/1572-106-0x000000001BAC0000-0x000000001BACE000-memory.dmp

          Filesize

          56KB

        • memory/1572-103-0x000000001BAF0000-0x000000001BB40000-memory.dmp

          Filesize

          320KB

        • memory/1572-102-0x000000001BA80000-0x000000001BA9C000-memory.dmp

          Filesize

          112KB

        • memory/1572-100-0x0000000000D00000-0x0000000000E5C000-memory.dmp

          Filesize

          1.4MB