Analysis
-
max time kernel
61s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 04:35
General
-
Target
Nursultan Alpha.exe
-
Size
3.8MB
-
MD5
eb9f6fb7804c8c8dbd3ebb1d355fa173
-
SHA1
1a37eaa4e337486684f104578fd6bda83bbecd90
-
SHA256
8a67da8e48b02c1e2b697629fe80e2de89a8eabee46778b3d1c461a14848142d
-
SHA512
e94a0664474caa4b9a964b6cb83b9623ae2fe628b61ead3c90364e4168969884da4dd93340c96b48e49237a5b3748d4c881bcce7e299367e6a8f66408c8dded4
-
SSDEEP
98304:yX1GibnDr0kTmDBN68MiXWF21fGotJfqf+5Ybux:y1GibnkkTW68MATfGVf+5o4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\c\j0rb9X1I2m1oleoOgwnJO7znjk9sCQMFXvhfZcscNZxn61N13golWBWN.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\c\RWyyAE.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\c\shvhost.exe"C:\/c/shvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MrfUPDYpIx.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\c\shvhost.exe"C:\c\shvhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD589cb79e1d42f837d7920fbf17b8403e0
SHA1ae1ef657b25a868f74bf150900af98baeb25ed4c
SHA2566a62db318eea0009f0b53380a597ddffdb8203f242515b7b44900d19a8ca9c1f
SHA51291fd649034b5a2c678eb412f1a7a2a88f9e065e8f6d3451376f986bc5d6aa96190fd5b94c968fcd1ddd975f289fc692423aa02a0b14cb53ecbb73b8923bb9502
-
Filesize
192B
MD50233ec8f3300bbc9d08ec59b1077ae4c
SHA1630ae8854f908b456da460193675175a2992b1b1
SHA25616cda85dc09af9ecb8710f227e8f7b3abc312ab9ad7512a5c7140be21f4a88b8
SHA512ea7591b3c55395ae51c339b8a4e55af578b1c49a0a7d2efc9a360c1f609f69e66a097f5b1a872a4dc170c1c1f84f309d58ffc733c0187f31a64e4b9085638457
-
Filesize
80B
MD5eb42e2ec27edbdf9cce20783e0c2f979
SHA1a36d55a0a0920852f7f583172a2dc16e3efbf1ff
SHA2568e77d1eba5650474ed6c0b5aa86baaeac4b1adca852dc89db67f36886b108108
SHA51273e61da6a2090b9100a5f335d76308e33844c28ce930d538c01692022666edbfa0538e715e3ff6644e35ec7f45d35fe957653c7e828d50c9ef1ff390ee3b4cf7
-
Filesize
198B
MD5b3d9fbae9b41bbf170e950d813bb8db1
SHA1534551e402cdd865417c42ab591d1806aec9e73f
SHA256c3c2429bd95c15775a3a3d611a5e9eb9276d6223395fbefe47978d4250afa019
SHA512169fec8b816e8a01ce09eeb7939631d88ab4e7953f2beb06087c9bcc157984f4fd20b0de3702054fb832fd1d4dfe82b7fee112da1b94247c1cddbeb73a97f43f
-
Filesize
3.5MB
MD531e600a210957ad4eb0937897528c65c
SHA115a576fe4341a9dabedae06e6677cc3006eec306
SHA256b19bf50129f50187e68591c6623aaaeef088fbda19d5e684b867e68e7bf5dfc3
SHA512682f9797a6aecb1171d10dc02f87f6d300c2948d6a519dbcc9f262ec1fef91d8ae2175cb108a871cf59edb34abe403f75600405332a4b47bc18c266c1ac3abf7
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
3.5MB
-
Filesize
8KB