Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18-07-2024 09:00
Behavioral task
behavioral1
Sample
nursultan alpha.exe
Resource
win10-20240404-en
General
-
Target
nursultan alpha.exe
-
Size
2.1MB
-
MD5
5a7e4da699bce68005b413cdd318e9de
-
SHA1
cee6614980f50810d19c3c18d242d97400078a75
-
SHA256
b27372b955d8e6cf46a3d36826511468504f8d58b5f24720351bf85f123cfea5
-
SHA512
7dafdd1ba9941b2f332f596ceefb6e9e07768f63586a4a21b4a31bbe66b890e62935a38e82a7665b1154c66fe015b4ff68144885389fdc4318670f8c878cad3c
-
SSDEEP
49152:UbA30/p0cfOZx9yRLMjyDYfG0TssZGe4lbY:UbTbfO40r3TssTgY
Malware Config
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exenursultan alpha.exeschtasks.exeschtasks.exeschtasks.exebrowserFontdll.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4876 schtasks.exe 4572 schtasks.exe 5100 schtasks.exe 2772 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings nursultan alpha.exe 3316 schtasks.exe 4084 schtasks.exe 800 schtasks.exe File created C:\Windows\PLA\ebf1f9fa8afd6d browserFontdll.exe 3164 schtasks.exe 444 schtasks.exe 4480 schtasks.exe 760 schtasks.exe 1536 schtasks.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 3852 schtasks.exe -
Processes:
resource yara_rule C:\AgentDriversavesrefmonitor\browserFontdll.exe dcrat behavioral1/memory/2572-19-0x00000000007A0000-0x0000000000978000-memory.dmp dcrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
browserFontdll.exeunsecapp.exepid process 2572 browserFontdll.exe 1720 unsecapp.exe -
Drops file in Program Files directory 4 IoCs
Processes:
browserFontdll.exedescription ioc process File created C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe browserFontdll.exe File created C:\Program Files\Microsoft Office\root\rsod\f3b6ecef712a24 browserFontdll.exe File created C:\Program Files\Windows Defender\Offline\sihost.exe browserFontdll.exe File created C:\Program Files\Windows Defender\Offline\66fc9ff0ee96c2 browserFontdll.exe -
Drops file in Windows directory 5 IoCs
Processes:
browserFontdll.exedescription ioc process File created C:\Windows\PLA\cmd.exe browserFontdll.exe File opened for modification C:\Windows\PLA\cmd.exe browserFontdll.exe File created C:\Windows\PLA\ebf1f9fa8afd6d browserFontdll.exe File created C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe browserFontdll.exe File created C:\Windows\PolicyDefinitions\es-ES\29c1c3cc0f7685 browserFontdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
nursultan alpha.exebrowserFontdll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings nursultan alpha.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings browserFontdll.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3164 schtasks.exe 444 schtasks.exe 4572 schtasks.exe 4480 schtasks.exe 4876 schtasks.exe 4084 schtasks.exe 800 schtasks.exe 1536 schtasks.exe 5100 schtasks.exe 2772 schtasks.exe 760 schtasks.exe 3316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
browserFontdll.exeunsecapp.exepid process 2572 browserFontdll.exe 2572 browserFontdll.exe 2572 browserFontdll.exe 2572 browserFontdll.exe 2572 browserFontdll.exe 2572 browserFontdll.exe 2572 browserFontdll.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe 1720 unsecapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
unsecapp.exepid process 1720 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
browserFontdll.exeunsecapp.exedescription pid process Token: SeDebugPrivilege 2572 browserFontdll.exe Token: SeDebugPrivilege 1720 unsecapp.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nursultan alpha.exeWScript.execmd.exebrowserFontdll.execmd.exedescription pid process target process PID 168 wrote to memory of 2108 168 nursultan alpha.exe WScript.exe PID 168 wrote to memory of 2108 168 nursultan alpha.exe WScript.exe PID 168 wrote to memory of 2108 168 nursultan alpha.exe WScript.exe PID 168 wrote to memory of 4984 168 nursultan alpha.exe WScript.exe PID 168 wrote to memory of 4984 168 nursultan alpha.exe WScript.exe PID 168 wrote to memory of 4984 168 nursultan alpha.exe WScript.exe PID 2108 wrote to memory of 1932 2108 WScript.exe cmd.exe PID 2108 wrote to memory of 1932 2108 WScript.exe cmd.exe PID 2108 wrote to memory of 1932 2108 WScript.exe cmd.exe PID 1932 wrote to memory of 2572 1932 cmd.exe browserFontdll.exe PID 1932 wrote to memory of 2572 1932 cmd.exe browserFontdll.exe PID 2572 wrote to memory of 4108 2572 browserFontdll.exe cmd.exe PID 2572 wrote to memory of 4108 2572 browserFontdll.exe cmd.exe PID 4108 wrote to memory of 5060 4108 cmd.exe w32tm.exe PID 4108 wrote to memory of 5060 4108 cmd.exe w32tm.exe PID 4108 wrote to memory of 1720 4108 cmd.exe unsecapp.exe PID 4108 wrote to memory of 1720 4108 cmd.exe unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:168 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\AgentDriversavesrefmonitor\browserFontdll.exe"C:\AgentDriversavesrefmonitor\browserFontdll.exe"4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5060
-
C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe"C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\file.vbs"2⤵PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5fdee2979f8de0e9a4a11bfecb268b97a
SHA12cdf74132e975745894a81db47814ff38e43a71c
SHA2569bf130c323cb7fee0ab32dfdd9e4065ede767babd5f763e96ebbe5f09f577028
SHA512281be0377447c63debf6d35b52a21c9b193ada7b9c153685cf99963d31dcff89070f167477be99f5fd959be1894bd59725023c1b1c1f5078fadecade14ca7557
-
Filesize
1.8MB
MD5692f6967406106fc784223f04ec69b8c
SHA1e6e174a86f9df6041a00d38f2b39506456f60602
SHA256424468b014466c994112ec496e18fd5d7a693b28b411c0ca52229704cd2ef574
SHA51214f14d50e76c2c179cb3c2b1ea1861fe0776b8eb7cb5798b277a1bf7fca2cd11e79a3355d28c36130deb4a916e462e314b38b346f7069ca86d765826ff14408f
-
Filesize
215B
MD5a732935b7511a789de0a7fe84b991d42
SHA1b99ae053d5df9684f12da7ad90e6e8a56c9d0b4e
SHA256b686a1c9ece16e8bf2e95a769128b30c047f14413dadddfc422f288dd6e8aa99
SHA512e9b249a2419e5dbdd0e9cfd238f1f6e1559bdd1efc0264d52b4f4bb5fa10b128138a54d2060cecab4f62f815fafc952329a1e8377b756fd8178e4f41d87273d1
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
212B
MD50f53b12e0a9936a2eae81863bcde8994
SHA10e28cff0e08af514fd688cf33cadd0d3b73361e2
SHA2563616d7adfca2257eb39d813b298a365414423241a4374809c77bfe64a66584b8
SHA51214ac6d017f6bc061c2ad8839dfe3e93816829305fed7886e930c2b6626aa57d94b642e82a509bce8b701f070e01637a6fb4ac49b2dab3c19e5dec2e2eba4b0ee