Overview

overview

10

Static

static

1

NURSULTAN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NURSULTAN.exe

  • Size

    2.1MB

  • Sample

    250119-rrwchs1may

  • MD5

    fd2d8d7d53e2bdd90497bb9b83d7f909

  • SHA1

    df1750dd2309196a3595f6bc6c99386e562276c0

  • SHA256

    98585e8fc301ec5becd9b995466c38981ac37102f917d52fba059261c4ae1647

  • SHA512

    fbe80cc5f0c3c6d914cc02c27c99f993719399da04302397c6254d623437a2580b82694a33c597d5a761f6d47996ed30bd468da44607e792e7542955b6378160

  • SSDEEP

    49152:lmqBYFzxwN2mF2mDY+FYFO954TOAghwA3fwQmJnc2+WAIZs0:cG2zxQD1mwAW/PFmpchWFB

Score
10/10
dcratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Targets

    • Target

      NURSULTAN.exe

    • Size

      2.1MB

    • MD5

      fd2d8d7d53e2bdd90497bb9b83d7f909

    • SHA1

      df1750dd2309196a3595f6bc6c99386e562276c0

    • SHA256

      98585e8fc301ec5becd9b995466c38981ac37102f917d52fba059261c4ae1647

    • SHA512

      fbe80cc5f0c3c6d914cc02c27c99f993719399da04302397c6254d623437a2580b82694a33c597d5a761f6d47996ed30bd468da44607e792e7542955b6378160

    • SSDEEP

      49152:lmqBYFzxwN2mF2mDY+FYFO954TOAghwA3fwQmJnc2+WAIZs0:cG2zxQD1mwAW/PFmpchWFB

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks