Analysis Overview
SHA256
85905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056
Threat Level: Known bad
The file NursultanLoader.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
DcRat
Process spawned unexpected child process
DCRat payload
Downloads MZ/PE file
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 04:02
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 04:02
Reported
2024-05-31 04:05
Platform
win11-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Delete System32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\ebf1f9fa8afd6d | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\SavesDllcommon\fontsaves.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SavesDllcommon\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\SavesDllcommon\conhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Delete System32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Delete System32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Delete System32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Delete System32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "
C:\SavesDllcommon\fontsaves.exe
"C:\SavesDllcommon\fontsaves.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\SavesDllcommon\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\SavesDllcommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\SavesDllcommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\SavesDllcommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\SavesDllcommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0s5aAbSAde.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\SavesDllcommon\conhost.exe
"C:\SavesDllcommon\conhost.exe"
C:\Users\Admin\AppData\Local\Temp\Delete System32.exe
"C:\Users\Admin\AppData\Local\Temp\Delete System32.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E4
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
"C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0987391.xsph.ru | udp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| IE | 52.111.236.22:443 | tcp | |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
Files
C:\SavesDllcommon\gdNhr8l.vbe
| MD5 | 67750c3e2cc7970484d8e1f3e95c4454 |
| SHA1 | b4a6e933dfda3db9a2663798f421a2b06a0c5b35 |
| SHA256 | a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655 |
| SHA512 | d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9 |
C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat
| MD5 | 0a9ef172b5e9daeb9c3366842676eac9 |
| SHA1 | 18ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2 |
| SHA256 | 4193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6 |
| SHA512 | dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563 |
C:\SavesDllcommon\fontsaves.exe
| MD5 | 73ace1b8b0f1b1c088f11ee29b13ae6b |
| SHA1 | 4b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc |
| SHA256 | 8be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614 |
| SHA512 | 1e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1 |
memory/4464-12-0x00007FFDEFC33000-0x00007FFDEFC35000-memory.dmp
memory/4464-13-0x0000000000EA0000-0x0000000000FD2000-memory.dmp
memory/4464-14-0x000000001BD60000-0x000000001BD7C000-memory.dmp
memory/4464-15-0x000000001BDD0000-0x000000001BE20000-memory.dmp
memory/4464-17-0x000000001BC40000-0x000000001BC4C000-memory.dmp
memory/4464-16-0x000000001BD80000-0x000000001BD96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0s5aAbSAde.bat
| MD5 | b3033fea848da45648728ca002c3589c |
| SHA1 | dc32ffa87b9600a386fd8df265458b7bc94090f7 |
| SHA256 | 1dce24f4212eea77aec6fcea662f27bb6a36b4f57dd4de6723ba32652a1b7f84 |
| SHA512 | 010588168c9ac2988388bc28ba7da91015291ce6bb1d83b3b925f682b7966fc93eb7d2da7dcb39652ca2c19023cf5ab47856d0917950caeac403e3bc9be76676 |
memory/3224-35-0x000000001B990000-0x000000001B99D000-memory.dmp
memory/3224-33-0x000000001C350000-0x000000001C396000-memory.dmp
memory/3224-34-0x000000001B450000-0x000000001B459000-memory.dmp
memory/3224-37-0x000000001B9A0000-0x000000001B9AB000-memory.dmp
memory/3224-36-0x000000001C3A0000-0x000000001C3BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Delete System32.exe
| MD5 | 07a9f858f9867f52163d7cec3bd899e3 |
| SHA1 | d7feae9f88b807606b747a27ac95ede57b2615f5 |
| SHA256 | 0fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca |
| SHA512 | e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30 |
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
| MD5 | 137c1b0243beb35b6a0b6dbe632dc341 |
| SHA1 | b710da533d9a33f4d7fc78d317bbcee8dc95826d |
| SHA256 | 86cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab |
| SHA512 | 49ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf |
memory/2624-103-0x00000109253A0000-0x0000010925764000-memory.dmp
memory/2624-113-0x000001093FE00000-0x000001093FE0B000-memory.dmp
memory/2624-112-0x000001093FDE0000-0x000001093FDFE000-memory.dmp
memory/2624-111-0x000001093FCC0000-0x000001093FCCD000-memory.dmp
memory/2624-110-0x000001093FC90000-0x000001093FC99000-memory.dmp
memory/2624-109-0x00000109406F0000-0x0000010940736000-memory.dmp