Analysis Overview
SHA256
d7481cac8734f08d95bacc6aba8c846bc29edb591be84d85d2440a0f45dbba74
Threat Level: Known bad
The file NursultanClient.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 08:54
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 08:54
Reported
2024-05-31 08:57
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
| N/A | N/A | C:\comcontainerWebmonitorsvc\smss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\upfc.exe | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\upfc.exe | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115 | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\comcontainerWebmonitorsvc\smss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\comcontainerWebmonitorsvc\msComref.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\comcontainerWebmonitorsvc\smss.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comcontainerWebmonitorsvc\QCOFmH7q.bat" "
C:\comcontainerWebmonitorsvc\msComref.exe
"C:\comcontainerWebmonitorsvc\msComref.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComref" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\comcontainerWebmonitorsvc\smss.exe
"C:\comcontainerWebmonitorsvc\smss.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x494
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0989922.xsph.ru | udp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| US | 8.8.8.8:53 | 149.194.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0989922.xsph.ru | tcp |
Files
C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe
| MD5 | 5bd22e3a313a58c06fb058125c190ff1 |
| SHA1 | b78f042be1130c3e7e53b1a6b307d81b04db7d1a |
| SHA256 | 678960f5a802c56907c17696dcf24032de0af466fc51c52acfc073acafdbf796 |
| SHA512 | 9763aa6e18836687a35d864b11d5b393e5a894b9b2b2b0f807a2be09a3293629682b9a1203e9dc923f08cdbdb8d6b48f09eb1ea66fbe2b656b5debfa721727e8 |
memory/2680-8-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-9-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-10-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-20-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-19-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-18-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-17-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-16-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-15-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
memory/2680-14-0x000001EC135A0000-0x000001EC135A1000-memory.dmp
C:\comcontainerWebmonitorsvc\QCOFmH7q.bat
| MD5 | 1f04f28016b88fe0c71d5d7be904d0ce |
| SHA1 | f22967304324283edd54468044e9b90617bcf3a0 |
| SHA256 | 194e7d5c20652a0a19a2c47f8018750b1f01484902253b80199c8fef8464d2c6 |
| SHA512 | c799facb2e2c3cbdd63a6d5208656895ee758681c99fda5bc11eaaddef0444a5c66b2129b99f4220520948735239d98a90bb74cd12ca2db7b266249b9e95f0bf |
C:\comcontainerWebmonitorsvc\msComref.exe
| MD5 | 7c8a8de9865281c8407416e925b3f891 |
| SHA1 | 694341cbce25fca3ae33579ca5a9afbd7c255b3e |
| SHA256 | dcf3590f05eb0b79fda8788f177a40432efee3c860a793ebaf84f47b40eb98a6 |
| SHA512 | 46310a4675974226fbb4bb7ce522888aa58bed2147b658a8321fafbddc21f971c82c968d1de01334913c05c0d38ba62b6fb28ac5bd3d0a9fb588bc02c3f12aba |
memory/2632-25-0x0000000000460000-0x0000000000536000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat
| MD5 | 4cfb60f96ca7582df30ff07b83ee88d9 |
| SHA1 | 42b20cdc612153b2486fc5fc5843260e62554db2 |
| SHA256 | 93392efb627c655a6e671097972d2f4e61c97d00e8e83e6892414004b6f1cb08 |
| SHA512 | fa01de79ab5ad3c3205621755862b48751a63af6fd3b72cef193859d50e7f12f65c97ab859ddb592541620e0d1c67b1aeaa31c345b2d77ff51fdda2bba29fea4 |
memory/2532-41-0x000000001C570000-0x000000001C594000-memory.dmp
memory/2532-42-0x000000001C6E0000-0x000000001C78A000-memory.dmp