Analysis Overview
SHA256
b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
Threat Level: Known bad
The file NEAS.d316c5acd7974aaa1cab464245b38ac0.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
UAC bypass
Dcrat family
DCRat payload
DCRat payload
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Creates scheduled task(s)
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-18 02:37
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-18 02:37
Reported
2023-11-18 02:40
Platform
win7-20231025-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\KBDMAC\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\l_intl\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\Groupinghc\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\73725a82-739a-11ee-b301-ca9cbbc363d2\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\KBDMAC\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\l_intl\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\Groupinghc\csrss.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\System32\l_intl\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\System32\Groupinghc\RCX81C0.tmp | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\System32\l_intl\RCX7F11.tmp | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\System32\Groupinghc\csrss.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\KBDMAC\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\KBDMAC\cc11b995f2a76da408ea6a601e682e64743153ad | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\l_intl\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\System32\Groupinghc\886983d96e3d3e31032c679b2d4ea91b6c05afef | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\System32\KBDMAC\RCX7CFE.tmp | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | C:\Windows\System32\l_intl\spoolsv.exe |
| PID 2172 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | C:\Windows\System32\l_intl\spoolsv.exe |
| PID 2172 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | C:\Windows\System32\l_intl\spoolsv.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\l_intl\spoolsv.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KBDMAC\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\l_intl\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\Groupinghc\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\l_intl\spoolsv.exe
"C:\Windows\System32\l_intl\spoolsv.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 92.63.192.30:80 | 92.63.192.30 | tcp |
| RU | 92.63.192.30:443 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| RU | 92.63.192.30:443 | tcp |
Files
memory/2172-0-0x0000000000DE0000-0x0000000000EAA000-memory.dmp
memory/2172-1-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
memory/2172-2-0x0000000000D20000-0x0000000000DA0000-memory.dmp
memory/2172-3-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/2172-4-0x00000000003D0000-0x00000000003D8000-memory.dmp
memory/2172-5-0x00000000003E0000-0x00000000003F0000-memory.dmp
memory/2172-6-0x00000000003F0000-0x00000000003F8000-memory.dmp
memory/2172-7-0x0000000000420000-0x000000000042C000-memory.dmp
memory/2172-8-0x0000000000440000-0x000000000044A000-memory.dmp
memory/2172-9-0x0000000000410000-0x000000000041A000-memory.dmp
memory/2172-10-0x0000000000430000-0x0000000000438000-memory.dmp
memory/2172-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2172-12-0x0000000000450000-0x0000000000458000-memory.dmp
memory/2172-13-0x0000000000470000-0x0000000000478000-memory.dmp
memory/2172-14-0x0000000000490000-0x0000000000498000-memory.dmp
memory/2172-16-0x00000000004C0000-0x00000000004C8000-memory.dmp
memory/2172-17-0x0000000000560000-0x0000000000568000-memory.dmp
memory/2172-15-0x00000000004B0000-0x00000000004B8000-memory.dmp
memory/2172-18-0x00000000004D0000-0x00000000004D8000-memory.dmp
memory/2172-19-0x0000000000480000-0x0000000000488000-memory.dmp
memory/2172-20-0x0000000000570000-0x0000000000578000-memory.dmp
memory/2172-21-0x0000000000DB0000-0x0000000000DBC000-memory.dmp
memory/2172-22-0x0000000002370000-0x0000000002378000-memory.dmp
memory/2172-23-0x0000000000D20000-0x0000000000DA0000-memory.dmp
memory/2172-32-0x0000000000D20000-0x0000000000DA0000-memory.dmp
memory/2172-36-0x0000000000D20000-0x0000000000DA0000-memory.dmp
C:\Windows\System32\KBDMAC\winlogon.exe
| MD5 | d316c5acd7974aaa1cab464245b38ac0 |
| SHA1 | 9c7636717bb1063e0801a769aeef01bf15af1bb4 |
| SHA256 | b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d |
| SHA512 | c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b |
memory/2172-49-0x0000000000D20000-0x0000000000DA0000-memory.dmp
C:\Windows\System32\l_intl\spoolsv.exe
| MD5 | fcbdf31839b54fa1f1d745db24c485ab |
| SHA1 | 22bed2c4fee7ad87303f79741a15a8b3b4c98388 |
| SHA256 | 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112 |
| SHA512 | 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2 |
memory/2172-63-0x0000000000D20000-0x0000000000DA0000-memory.dmp
C:\Windows\System32\l_intl\spoolsv.exe
| MD5 | fcbdf31839b54fa1f1d745db24c485ab |
| SHA1 | 22bed2c4fee7ad87303f79741a15a8b3b4c98388 |
| SHA256 | 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112 |
| SHA512 | 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2 |
C:\Windows\System32\l_intl\spoolsv.exe
| MD5 | fcbdf31839b54fa1f1d745db24c485ab |
| SHA1 | 22bed2c4fee7ad87303f79741a15a8b3b4c98388 |
| SHA256 | 3f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112 |
| SHA512 | 5c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2 |
memory/2140-71-0x0000000000960000-0x0000000000A2A000-memory.dmp
memory/2140-72-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
memory/2140-73-0x000000001B130000-0x000000001B1B0000-memory.dmp
memory/2172-74-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
memory/2140-75-0x000000001B130000-0x000000001B1B0000-memory.dmp
memory/2140-76-0x000000001B130000-0x000000001B1B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9262.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar92D2.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2140-104-0x000000001B130000-0x000000001B1B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f01e350e566149df05621aa227fb2f52 |
| SHA1 | 32f5b2eda5c27cf2291b548d40534b91cb8a908d |
| SHA256 | d167d8873aa83d7a67493803a08cde3d7e4cc8f573f1bb883323f34233c59bb0 |
| SHA512 | 43a58a68c97e10733f734f7c2177795f0730598a86bbb32510410612cfae4a320cb00f55a3ec7a093a268874874e046f65471e8eb688cc05703576930a77b061 |
memory/2140-167-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-18 02:37
Reported
2023-11-18 02:40
Platform
win10v2004-20231025-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.et-ee\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\e6c9b481da804f07baff8eff543b0a1441069b5d | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCXAE61.tmp | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File opened for modification | C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\Speech_OneCore\Engines\SR\en-US-N\121e5b5079f7c0e46d90f99b3864022518bbbda9 | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16 | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee\OfficeClickToRun.exe'" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2712-0-0x0000000000470000-0x000000000053A000-memory.dmp
memory/2712-1-0x00007FFDE3560000-0x00007FFDE4021000-memory.dmp
memory/2712-2-0x000000001B070000-0x000000001B080000-memory.dmp
memory/2712-3-0x0000000000DE0000-0x0000000000DE8000-memory.dmp
memory/2712-4-0x00000000026A0000-0x00000000026A8000-memory.dmp
memory/2712-5-0x00000000026B0000-0x00000000026C0000-memory.dmp
memory/2712-6-0x00000000026C0000-0x00000000026C8000-memory.dmp
memory/2712-7-0x00000000026E0000-0x00000000026EC000-memory.dmp
memory/2712-8-0x000000001AFE0000-0x000000001AFEA000-memory.dmp
memory/2712-9-0x000000001AFF0000-0x000000001AFFA000-memory.dmp
memory/2712-10-0x000000001B4A0000-0x000000001B4A8000-memory.dmp
memory/2712-11-0x000000001AFD0000-0x000000001AFD8000-memory.dmp
memory/2712-12-0x000000001B000000-0x000000001B008000-memory.dmp
memory/2712-13-0x000000001B010000-0x000000001B018000-memory.dmp
memory/2712-14-0x000000001B020000-0x000000001B028000-memory.dmp
memory/2712-15-0x000000001B030000-0x000000001B038000-memory.dmp
memory/2712-17-0x000000001B050000-0x000000001B058000-memory.dmp
memory/2712-16-0x000000001B040000-0x000000001B048000-memory.dmp
memory/2712-18-0x000000001B060000-0x000000001B068000-memory.dmp
memory/2712-20-0x000000001B070000-0x000000001B080000-memory.dmp
memory/2712-23-0x000000001B2B0000-0x000000001B2BC000-memory.dmp
memory/2712-22-0x000000001B070000-0x000000001B080000-memory.dmp
memory/2712-21-0x000000001B2A0000-0x000000001B2A8000-memory.dmp
memory/2712-19-0x000000001B180000-0x000000001B188000-memory.dmp
memory/2712-24-0x000000001B2C0000-0x000000001B2C8000-memory.dmp
memory/2712-27-0x000000001B070000-0x000000001B080000-memory.dmp
memory/2712-35-0x000000001B070000-0x000000001B080000-memory.dmp
C:\Windows\Speech_OneCore\Engines\SR\en-US-N\sysmon.exe
| MD5 | d316c5acd7974aaa1cab464245b38ac0 |
| SHA1 | 9c7636717bb1063e0801a769aeef01bf15af1bb4 |
| SHA256 | b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d |
| SHA512 | c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b |
memory/2712-42-0x00007FFDE3560000-0x00007FFDE4021000-memory.dmp