Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-bgyf5ahd8x
Target NEAS.01a66ce702b81396f987e22d5c5513a0.exe
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67

Threat Level: Known bad

The file NEAS.01a66ce702b81396f987e22d5c5513a0.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

UAC bypass

DCRat payload

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies system certificate store

Uses Task Scheduler COM API

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 01:07

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 01:07

Reported

2023-11-18 01:10

Platform

win7-20231020-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Documents and Settings\WmiPrvSE.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAS.01a66ce702b81396f987e22d5c5513a0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistUI5C30\\NEAS.01a66ce702b81396f987e22d5c5513a0.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msfeeds\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\odbccu32\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\bin\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\pdh\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\PerfLogs\\Admin\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Documents and Settings\WmiPrvSE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\odbccu32\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Windows\System32\odbccu32\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\pdh\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Windows\System32\msfeeds\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\odbccu32\6cb0b6c459d5d3455a3da700e713f2e2529862ff C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Windows\System32\odbccu32\RCX97CE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Windows\System32\pdh\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\pdh\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\msfeeds\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\msfeeds\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\560854153607923c4c5f107085a7db67be01f252 C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\RCX9DF8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX9FFC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\PCAT\el-GR\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Documents and Settings\WmiPrvSE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Documents and Settings\WmiPrvSE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A
N/A N/A C:\Documents and Settings\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Token: SeDebugPrivilege N/A C:\Documents and Settings\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe
PID 1100 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe
PID 1100 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe
PID 1120 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe C:\Windows\System32\cmd.exe
PID 1136 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1136 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1136 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1136 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Documents and Settings\WmiPrvSE.exe
PID 1136 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Documents and Settings\WmiPrvSE.exe
PID 1136 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Documents and Settings\WmiPrvSE.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Documents and Settings\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\odbccu32\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\pdh\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.01a66ce702b81396f987e22d5c5513a0" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5C30\NEAS.01a66ce702b81396f987e22d5c5513a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\PerfLogs\Admin\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msfeeds\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BeXS80QdQo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Documents and Settings\WmiPrvSE.exe

"C:\Documents and Settings\WmiPrvSE.exe"

Network

Country Destination Domain Proto
RU 92.63.192.30:80 92.63.192.30 tcp
RU 92.63.192.30:443 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
RU 92.63.192.30:443 tcp

Files

memory/1100-0-0x0000000000160000-0x000000000022A000-memory.dmp

memory/1100-1-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/1100-2-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-3-0x0000000000150000-0x0000000000158000-memory.dmp

memory/1100-4-0x0000000000230000-0x0000000000238000-memory.dmp

memory/1100-5-0x0000000000240000-0x0000000000250000-memory.dmp

memory/1100-6-0x0000000000250000-0x0000000000258000-memory.dmp

memory/1100-7-0x0000000000480000-0x000000000048C000-memory.dmp

memory/1100-8-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/1100-9-0x0000000000470000-0x000000000047A000-memory.dmp

memory/1100-10-0x0000000000490000-0x0000000000498000-memory.dmp

memory/1100-11-0x0000000000460000-0x0000000000468000-memory.dmp

memory/1100-12-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/1100-13-0x0000000000580000-0x0000000000588000-memory.dmp

memory/1100-14-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/1100-17-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/1100-16-0x0000000000730000-0x0000000000738000-memory.dmp

memory/1100-15-0x0000000000570000-0x0000000000578000-memory.dmp

memory/1100-18-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/1100-19-0x0000000002090000-0x0000000002098000-memory.dmp

memory/1100-20-0x00000000020A0000-0x00000000020A8000-memory.dmp

memory/1100-21-0x0000000002130000-0x000000000213C000-memory.dmp

memory/1100-22-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/1100-23-0x000000001AF70000-0x000000001AFF0000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe

MD5 01a66ce702b81396f987e22d5c5513a0
SHA1 007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512 a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16

memory/1100-34-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-35-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-36-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-37-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-38-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-39-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-40-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-44-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/1100-45-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-52-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-53-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-68-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-69-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-83-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-84-0x000000001AF70000-0x000000001AFF0000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe

MD5 0cf392f9ea23f40771d947fb9110ef83
SHA1 ce31df425826ee48678c1f486b6fa0630777e6f6
SHA256 0e750fc57f7bf6e9beb28cda4cb0dc9061bcd0ee05fcc4bf5f3e27aaf88fa73f
SHA512 3caefa3730f4ad652c86ffb73609978d6d0f0174fd8b17beda045164438fd30ca2858147d3b54d7af330ffe937f5ee8e88b1bce6b8571c01ced1d2776aeee5c5

C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe

MD5 01a66ce702b81396f987e22d5c5513a0
SHA1 007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512 a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16

memory/1100-87-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/1100-89-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/1120-88-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/1120-90-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1120-91-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1120-106-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1120-110-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1120-115-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1120-120-0x000000001AF50000-0x000000001AFD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BeXS80QdQo.bat

MD5 51d9abcacda6f2a709ba74a80aefb282
SHA1 6c079cb3983192ab4d88457d641570e093ebd2d1
SHA256 6fbba04f76dbb9ea740c4a2968ffc71ff0f95f3073330310e7c02bb537eb9d75
SHA512 91ff77fbb97e98c33fcae72b7394a81916dc97cf8453b80b4195e2f5ad684f689b06dc576ae5620341aa585250ccac3b5d5c9a9e9e60bd33b045cd4e18c56a06

memory/1120-129-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

C:\Documents and Settings\WmiPrvSE.exe

MD5 01a66ce702b81396f987e22d5c5513a0
SHA1 007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512 a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16

C:\Users\WmiPrvSE.exe

MD5 01a66ce702b81396f987e22d5c5513a0
SHA1 007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512 a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16

memory/1260-132-0x000007FEF4B30000-0x000007FEF551C000-memory.dmp

memory/1260-133-0x0000000001170000-0x000000000123A000-memory.dmp

memory/1260-134-0x000000001AD20000-0x000000001ADA0000-memory.dmp

memory/1260-135-0x000000001AD20000-0x000000001ADA0000-memory.dmp

memory/1260-136-0x000000001AD20000-0x000000001ADA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDDD3.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarDE91.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c613fdfb9df8f3675b742ebd92f7d6de
SHA1 662a6d81346e9fc92cd5f63fd12b4c5b3fb5db19
SHA256 988687a708dce151029a14fafa1883848db53e2b57b87169cccba3a44d94507e
SHA512 e86a15799acead92c34adf374c6e4f5b0a415442a814c7d5cfb0de58e3af30aee866ebd0a041072f774c5bd527b8324dd49f701d970bfe001f87c22cdd0e4746

memory/1260-198-0x000000001AD20000-0x000000001ADA0000-memory.dmp

memory/1260-217-0x000007FEF4B30000-0x000007FEF551C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 01:07

Reported

2023-11-18 01:10

Platform

win10v2004-20231023-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\PerfLogs\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\bootstat\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Google\\Chrome\\Application\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\moshostcore\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\System32\moshostcore\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Program Files\Google\Chrome\Application\38384e6a620884a6b69bcc56f80d556f9200171c C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bootstat\explorer.exe C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
File created C:\Windows\bootstat\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\PerfLogs\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bootstat\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 178.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 147.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/4076-0-0x0000000000890000-0x000000000095A000-memory.dmp

memory/4076-1-0x00007FF95A460000-0x00007FF95AF21000-memory.dmp

memory/4076-2-0x000000001B600000-0x000000001B610000-memory.dmp

memory/4076-3-0x0000000001210000-0x0000000001218000-memory.dmp

memory/4076-4-0x0000000001220000-0x0000000001228000-memory.dmp

memory/4076-5-0x0000000001230000-0x0000000001240000-memory.dmp

memory/4076-7-0x0000000001250000-0x000000000125C000-memory.dmp

memory/4076-6-0x0000000001240000-0x0000000001248000-memory.dmp

memory/4076-8-0x0000000001290000-0x000000000129A000-memory.dmp

memory/4076-9-0x0000000001270000-0x000000000127A000-memory.dmp

memory/4076-10-0x0000000001260000-0x0000000001268000-memory.dmp

memory/4076-11-0x00000000012A0000-0x00000000012A8000-memory.dmp

memory/4076-14-0x0000000002B80000-0x0000000002B88000-memory.dmp

memory/4076-15-0x0000000002B90000-0x0000000002B98000-memory.dmp

memory/4076-13-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/4076-12-0x0000000001280000-0x0000000001288000-memory.dmp

memory/4076-16-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

memory/4076-17-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

memory/4076-18-0x0000000002BC0000-0x0000000002BC8000-memory.dmp

memory/4076-20-0x000000001B600000-0x000000001B610000-memory.dmp

memory/4076-22-0x000000001B720000-0x000000001B728000-memory.dmp

memory/4076-21-0x000000001B600000-0x000000001B610000-memory.dmp

memory/4076-23-0x000000001B730000-0x000000001B73C000-memory.dmp

memory/4076-19-0x000000001B710000-0x000000001B718000-memory.dmp

memory/4076-24-0x000000001B740000-0x000000001B748000-memory.dmp

memory/4076-25-0x000000001B600000-0x000000001B610000-memory.dmp

memory/4076-26-0x000000001B600000-0x000000001B610000-memory.dmp

C:\Windows\System32\moshostcore\taskhostw.exe

MD5 01a66ce702b81396f987e22d5c5513a0
SHA1 007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256 b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512 a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16

memory/4076-37-0x00007FF95A460000-0x00007FF95AF21000-memory.dmp