Analysis
-
max time kernel
98s -
max time network
99s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
19-01-2025 14:28
General
-
Target
NURSULTAN.exe
-
Size
2.1MB
-
MD5
fd2d8d7d53e2bdd90497bb9b83d7f909
-
SHA1
df1750dd2309196a3595f6bc6c99386e562276c0
-
SHA256
98585e8fc301ec5becd9b995466c38981ac37102f917d52fba059261c4ae1647
-
SHA512
fbe80cc5f0c3c6d914cc02c27c99f993719399da04302397c6254d623437a2580b82694a33c597d5a761f6d47996ed30bd468da44607e792e7542955b6378160
-
SSDEEP
49152:lmqBYFzxwN2mF2mDY+FYFO954TOAghwA3fwQmJnc2+WAIZs0:cG2zxQD1mwAW/PFmpchWFB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"C:\Users\Admin\AppData\Local\Temp\NURSULTAN.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fYZNm3i7Xv.exe"C:\Users\Admin\AppData\Roaming\fYZNm3i7Xv.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe"C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0j0r2scp\0j0r2scp.cmdline"4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8731.tmp" "c:\Windows\System32\CSC4423BE21A09749CD8CCED3C76E3B03B.TMP"5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\SearchApp.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\fr-FR\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OfficeClickToRun.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vvNz7vyJmQ.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe"C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 8322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4304 -ip 43041⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\apppatch\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "YihSFVKFwnY" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "YihSFVKFwn" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "YihSFVKFwnY" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\YihSFVKFwn.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53472240ba9018b36cebbb3fa4d9ecde2
SHA1fa7d94af70df8bd1719c25cc1485c093354e3cb6
SHA2564ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449
SHA5124ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD590d696d6a8ab185c1546b111fa208281
SHA1b0ce1efde1dad3d65f7a78d1f6467d8a1090d659
SHA25678497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4
SHA5120a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba
-
Filesize
1KB
MD583d94e8aa23c7ad2db6f972739506306
SHA1bd6d73d0417971c0077f772352d2f538a6201024
SHA256dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881
SHA5124224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e
-
Filesize
488B
MD50dbcc7e7d5448f5b975f2ca75530461d
SHA1d8d216fac9922e829d996bd65eeb73ab05764d75
SHA256531cecd55b8571638cadd05fda7be3a9e51770d6b19e4ad781eb410a73b66352
SHA51241e5b085ed337af1f7c29610be0de621e9f161d406060cbfb5ec9c1fb7c017c1462e0550cfc4061a70d3ab01fa44899fb8c2ee885f9048f79a142672361ec50b
-
Filesize
1KB
MD537f8adc7efdd9be1cd016312f9ef787d
SHA1305e45bb55e48b5988103ec14cebdeff928e75ec
SHA256f6fabd71f4a8eed3945d8f5318efc4c51bdf630ba084510dcd51377ecd6af2c8
SHA5122c9d08f011e02401f3f119780b887da667d3c7ae6b4d32e912e060066faf272486c62145eefbdf5ffd8ad0e06181c46ebd59f77e637d3d965ecfa973ab8dbbb8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
221B
MD5526fcddc5bf35263b3c4981e3946b94e
SHA1c763991cd055ef324dd51e27be3e01cc849e17dd
SHA2563c226ad28bcf4be56f4bc03e702ffc8c52897ed187a0e0be118013052012ca5b
SHA51286e78ef9cbc90e7e998de80b43fd70af147982bb9573db2c564cce0d3f94b17a5d95c9c055b1148cc018884e055e126f44c5c043ac953830834cc334d7932a0e
-
Filesize
1.8MB
MD5c3a59b9df64f75bb34d4a18a59f1a9d1
SHA193066e297fe1be0c228e40078443670d655b743d
SHA256a4e26cfb8ec5fd1e36f33d02f196f711bcedb06baa02b6b50e1c588845d948dc
SHA512d39fb4e7202c9e31abc1f4802f9b29a0db4d53d636bae7f5051ff64d082ed668a7f45cf8d22728cc8ed7dc785efb603e89b5cecb24fa92c7ac5d395282f6d307
-
Filesize
18KB
MD5f3edff85de5fd002692d54a04bcb1c09
SHA14c844c5b0ee7cb230c9c28290d079143e00cb216
SHA256caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131
SHA512531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d
-
Filesize
371B
MD555ec8b132a35f6d6c4b6c8a1ae78167e
SHA14b44e9a29bb262c6db8a4c7f200d5c3cd5840aa6
SHA256dda9627d7b82e68da9da3219a7f7d0e6d0017243027942c8155a8cfd6691c80e
SHA512a1adce4b8cb9e83c5fed22d48d9cb0e58796864fa0c61dbf7aafb9002e2825d75dd61f4e3204836526df2d1346e6ee8a5f4cb632221a3e16d5149445940f97a2
-
Filesize
235B
MD5d35521e0821cb2abc9db335db88a3851
SHA15c8987b7529f9ef8ab024ffb7705412a7ed6afe9
SHA256ebb6967d5497d594a334b4aaac1f08f453c5c6e55ce19352531e5890700d35f6
SHA5122dc89892d24b779317c2fdda3c6287c9c879aa1748084b099ee6cf4d3fbeaad33384b20362ac96d95963b43e82d5cccb31acad86f13aea51c1739a96975380a4
-
Filesize
1KB
MD574ea237d4e807ef6a4ba567337ffe990
SHA13ae88dc47b87b88069e5049e48afc5fd1c513571
SHA2568dd81ac7dd07f708babaa8cddb161387c1aed69fe4ffd7775a5f5344ec623edf
SHA512d79333f2199b189e1c26cf090262b2e87d7154e07bad8621962279c58f31056c2a984574ce817d7aa9275af7cb5c3cc9d74cccf9afca77a370194e87e643cbdf
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
5.6MB
-
Filesize
2.1MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.9MB