Overview

overview

10

Static

static

10

Nursultan-...ha.exe

windows10-2004-x64

10

Nursultan-...ha.exe

windows10-ltsc 2021-x64

10

Nursultan-...ha.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1080s
  • max time network
    1150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-12-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan-Alpha-main/NursultanAlpha.exe

  • Size

    1.1MB

  • MD5

    04d47663369ae93c8a2325d1fdafd7da

  • SHA1

    d47262b1d1f8d938e44e98d96fbba35233166b53

  • SHA256

    11b323227ec42ebc937299ac946582c13253b8a707c371adeadd225ec14f2eee

  • SHA512

    78896538afd82ef2fe524502456510b3fc5dd0819bee92aaf0d002231b8bd11beee59f3a78d1bbbf2a33e6ab613f1b431cbf26fe8733b6ac70b69b2a47e92e1f

  • SSDEEP

    24576:S2G/nvxW3Wu0Toe7NtsNN4rnw4P1DtV5ffUAU0X:SbA3G8ehWGH5T

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan-Alpha-main\NursultanAlpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan-Alpha-main\NursultanAlpha.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeReviewintoCommon\q48d35.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgeReviewintoCommon\KPrICBKXTXtcR2zQA74oF3h.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\bridgeReviewintoCommon\ServerperfDhcp.exe
          "C:\bridgeReviewintoCommon\ServerperfDhcp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3828
          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe
            "C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:460
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1116
  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3828
  • C:\Recovery\WindowsRE\sihost.exe
    C:\Recovery\WindowsRE\sihost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4688
  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:884
  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
    Filesize

    1KB

    MD5

    b4e91d2e5f40d5e2586a86cf3bb4df24

    SHA1

    31920b3a41aa4400d4a0230a7622848789b38672

    SHA256

    5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

    SHA512

    968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

    Download Submit

  • C:\bridgeReviewintoCommon\KPrICBKXTXtcR2zQA74oF3h.bat
    Filesize

    46B

    MD5

    e41e1eaeb38aaaf5f6faf47d84758997

    SHA1

    36a485ab4eed2b99b85975909b5a3e050c3e6477

    SHA256

    29cb59c43d4a211ecba7d832c97c54a8c546bcc55d7df79ba1a4b6f227ecb404

    SHA512

    9218604ee28e76dc8528d4e1e70382bafbc028c97e39e95428ad62a92481e8ed46358630b535183fd35db7e91be8224ae78bfdb7de1ba862b4d523b2acad3c37

    Download Submit

  • C:\bridgeReviewintoCommon\ServerperfDhcp.exe
    Filesize

    826KB

    MD5

    e2431fe3e9df46296c5172812bf43714

    SHA1

    d10efe8c25dc94b8f03deb224a321b93b30d0689

    SHA256

    c98b9c9410ff7194e6c06f5c697dbf2ce1a7dfddb022c44cf549ca348155bc58

    SHA512

    73e0786d5eb595c413155b00806d972d01a626e6a95958f270e5d4ffba5cbf73f6b7370a9af30f0bbaad974ce00dc2722634978e30593e6b71e5ebda983f612d

    Download Submit

  • C:\bridgeReviewintoCommon\q48d35.vbe
    Filesize

    223B

    MD5

    5adff5d24c943847d902dd7d8f4c8a76

    SHA1

    4f18d31eb01bcbf1b1d48580ce544a2f85073f69

    SHA256

    590143e99e94677b9194f9c4ac1e9a820de37b1a9d4ba9689c0cddb315877808

    SHA512

    908484d614e89b1c3df9c2dd1847f42da64cb4a8cf6e47535325591f7d9bb414c7caf7d93e88d49d048c34b506f5f8f8c3ddaeab38a8a689880baa0b7389bde2

    Download Submit

  • memory/3828-12-0x00007FFEE8773000-0x00007FFEE8775000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3828-13-0x0000000000DA0000-0x0000000000E76000-memory.dmp

    Filesize

    856KB

    Download