Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-c4at1saf3y
Target NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
SHA256 b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d

Threat Level: Known bad

The file NEAS.d316c5acd7974aaa1cab464245b38ac0.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

DcRat

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 02:37

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 02:37

Reported

2023-11-18 02:40

Platform

win7-20231025-en

Max time kernel

118s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\l_intl\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\KBDMAC\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\l_intl\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\Groupinghc\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\73725a82-739a-11ee-b301-ca9cbbc363d2\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\KBDMAC\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\l_intl\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\Groupinghc\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\System32\l_intl\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\System32\Groupinghc\RCX81C0.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\System32\l_intl\RCX7F11.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\System32\Groupinghc\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\KBDMAC\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\KBDMAC\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\l_intl\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\System32\Groupinghc\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\System32\KBDMAC\RCX7CFE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\System32\l_intl\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\System32\l_intl\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\l_intl\spoolsv.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\l_intl\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KBDMAC\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\l_intl\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\Groupinghc\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\l_intl\spoolsv.exe

"C:\Windows\System32\l_intl\spoolsv.exe"

Network

Country Destination Domain Proto
RU 92.63.192.30:80 92.63.192.30 tcp
RU 92.63.192.30:443 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
RU 92.63.192.30:443 tcp

Files

memory/2172-0-0x0000000000DE0000-0x0000000000EAA000-memory.dmp

memory/2172-1-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/2172-2-0x0000000000D20000-0x0000000000DA0000-memory.dmp

memory/2172-3-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2172-4-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/2172-5-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2172-6-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2172-7-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2172-8-0x0000000000440000-0x000000000044A000-memory.dmp

memory/2172-9-0x0000000000410000-0x000000000041A000-memory.dmp

memory/2172-10-0x0000000000430000-0x0000000000438000-memory.dmp

memory/2172-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2172-12-0x0000000000450000-0x0000000000458000-memory.dmp

memory/2172-13-0x0000000000470000-0x0000000000478000-memory.dmp

memory/2172-14-0x0000000000490000-0x0000000000498000-memory.dmp

memory/2172-16-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/2172-17-0x0000000000560000-0x0000000000568000-memory.dmp

memory/2172-15-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/2172-18-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/2172-19-0x0000000000480000-0x0000000000488000-memory.dmp

memory/2172-20-0x0000000000570000-0x0000000000578000-memory.dmp

memory/2172-21-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

memory/2172-22-0x0000000002370000-0x0000000002378000-memory.dmp

memory/2172-23-0x0000000000D20000-0x0000000000DA0000-memory.dmp

memory/2172-32-0x0000000000D20000-0x0000000000DA0000-memory.dmp

memory/2172-36-0x0000000000D20000-0x0000000000DA0000-memory.dmp

C:\Windows\System32\KBDMAC\winlogon.exe

MD5 d316c5acd7974aaa1cab464245b38ac0
SHA1 9c7636717bb1063e0801a769aeef01bf15af1bb4
SHA256 b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
SHA512 c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b

memory/2172-49-0x0000000000D20000-0x0000000000DA0000-memory.dmp

C:\Windows\System32\l_intl\spoolsv.exe

MD5 fcbdf31839b54fa1f1d745db24c485ab
SHA1 22bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA256 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA512 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2

memory/2172-63-0x0000000000D20000-0x0000000000DA0000-memory.dmp

C:\Windows\System32\l_intl\spoolsv.exe

MD5 fcbdf31839b54fa1f1d745db24c485ab
SHA1 22bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA256 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA512 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2

C:\Windows\System32\l_intl\spoolsv.exe

MD5 fcbdf31839b54fa1f1d745db24c485ab
SHA1 22bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA256 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA512 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2

memory/2140-71-0x0000000000960000-0x0000000000A2A000-memory.dmp

memory/2140-72-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/2140-73-0x000000001B130000-0x000000001B1B0000-memory.dmp

memory/2172-74-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/2140-75-0x000000001B130000-0x000000001B1B0000-memory.dmp

memory/2140-76-0x000000001B130000-0x000000001B1B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9262.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar92D2.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2140-104-0x000000001B130000-0x000000001B1B0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f01e350e566149df05621aa227fb2f52
SHA1 32f5b2eda5c27cf2291b548d40534b91cb8a908d
SHA256 d167d8873aa83d7a67493803a08cde3d7e4cc8f573f1bb883323f34233c59bb0
SHA512 43a58a68c97e10733f734f7c2177795f0730598a86bbb32510410612cfae4a320cb00f55a3ec7a093a268874874e046f65471e8eb688cc05703576930a77b061

memory/2140-167-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 02:37

Reported

2023-11-18 02:40

Platform

win10v2004-20231025-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.et-ee\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\e6c9b481da804f07baff8eff543b0a1441069b5d C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCXAE61.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File opened for modification C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\121e5b5079f7c0e46d90f99b3864022518bbbda9 C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16 C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\OfficeClickToRun.exe'" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2712-0-0x0000000000470000-0x000000000053A000-memory.dmp

memory/2712-1-0x00007FFDE3560000-0x00007FFDE4021000-memory.dmp

memory/2712-2-0x000000001B070000-0x000000001B080000-memory.dmp

memory/2712-3-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

memory/2712-4-0x00000000026A0000-0x00000000026A8000-memory.dmp

memory/2712-5-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/2712-6-0x00000000026C0000-0x00000000026C8000-memory.dmp

memory/2712-7-0x00000000026E0000-0x00000000026EC000-memory.dmp

memory/2712-8-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

memory/2712-9-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

memory/2712-10-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

memory/2712-11-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

memory/2712-12-0x000000001B000000-0x000000001B008000-memory.dmp

memory/2712-13-0x000000001B010000-0x000000001B018000-memory.dmp

memory/2712-14-0x000000001B020000-0x000000001B028000-memory.dmp

memory/2712-15-0x000000001B030000-0x000000001B038000-memory.dmp

memory/2712-17-0x000000001B050000-0x000000001B058000-memory.dmp

memory/2712-16-0x000000001B040000-0x000000001B048000-memory.dmp

memory/2712-18-0x000000001B060000-0x000000001B068000-memory.dmp

memory/2712-20-0x000000001B070000-0x000000001B080000-memory.dmp

memory/2712-23-0x000000001B2B0000-0x000000001B2BC000-memory.dmp

memory/2712-22-0x000000001B070000-0x000000001B080000-memory.dmp

memory/2712-21-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

memory/2712-19-0x000000001B180000-0x000000001B188000-memory.dmp

memory/2712-24-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

memory/2712-27-0x000000001B070000-0x000000001B080000-memory.dmp

memory/2712-35-0x000000001B070000-0x000000001B080000-memory.dmp

C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe

MD5 d316c5acd7974aaa1cab464245b38ac0
SHA1 9c7636717bb1063e0801a769aeef01bf15af1bb4
SHA256 b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
SHA512 c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b

memory/2712-42-0x00007FFDE3560000-0x00007FFDE4021000-memory.dmp