Malware Analysis Report

2024-10-10 12:59

Sample ID 240603-ebfkxaab3y
Target Nursultan.exe
SHA256 cf1f6eb66912ff5ad30f8940accdb1df9bb2f8f8cdf3f8d45a4febd48c5641b9
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf1f6eb66912ff5ad30f8940accdb1df9bb2f8f8cdf3f8d45a4febd48c5641b9

Threat Level: Known bad

The file Nursultan.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:45

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:45

Reported

2024-06-03 03:48

Platform

win7-20240221-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Google\\CrashReports\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Google\\CrashReports\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\dwm.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\6cb0b6c459d5d3 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\ProviderInto\blocksurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\ProviderInto\blocksurrogate.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProviderInto\blocksurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2736 wrote to memory of 1508 N/A C:\ProviderInto\blocksurrogate.exe C:\Windows\System32\cmd.exe
PID 2736 wrote to memory of 1508 N/A C:\ProviderInto\blocksurrogate.exe C:\Windows\System32\cmd.exe
PID 2736 wrote to memory of 1508 N/A C:\ProviderInto\blocksurrogate.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe
PID 1508 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe
PID 1508 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProviderInto\bg4vLJUaDkf5tC.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProviderInto\NmoUHUSCIv.bat" "

C:\ProviderInto\blocksurrogate.exe

"C:\ProviderInto\blocksurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe

"C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0990228.xsph.ru udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp

Files

C:\ProviderInto\bg4vLJUaDkf5tC.vbe

MD5 7f1bd72e83931ae16e0939d3dbc24d5b
SHA1 8e4ebd32d84a2e9e415c86b82332cf467e8ff1ab
SHA256 3478b04d7b9a3accf9d74e14f39493a5802938dbc774b2946a4c810ad3ee94af
SHA512 d22cad0ce50bfd7fd81c9b067d8388765f51d3fbe406e9008cce04fd0863e591781f26b6259a4b5c528ece7696f7ce3997720961582143ec5627306cce48c57c

C:\ProviderInto\NmoUHUSCIv.bat

MD5 f6f5d0c8f6feac0cb30c89fd1657cb64
SHA1 be50cec1500209cf68fe55f56b9dcc340546f454
SHA256 ea164f49511be36687b6c8aba7115701c6dd583f58589d948a72ea12de1c672e
SHA512 69a7947e16c893818a04887bf8b2e4a8cd22ad91ec9bfaa603c4eec99204c762d6d46493b0298520419f9818e2459ae372a8876b18f470b9138a1fb80f6ad258

\ProviderInto\blocksurrogate.exe

MD5 7ca99a0ca6db34fcfa842e5f6c203c94
SHA1 cf1a8e002cdd663e810281ff2b9093ddfa9527d0
SHA256 9de7ec4d1da007ad17d08ae860b474fec5ab46dd834584ba9fb36ff8a00b52f0
SHA512 17ae7000770c2f2e7918fad9e202c033bcf3c92490ca04f955142abe164b0583ac22a3659f4dc120643df8c51a9d11b832071dfe66fe2032d6d778d3d4b53a33

memory/2736-13-0x0000000000A80000-0x0000000000BDC000-memory.dmp

memory/2736-14-0x0000000000340000-0x000000000035C000-memory.dmp

memory/2736-16-0x0000000000390000-0x00000000003A2000-memory.dmp

memory/2736-15-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2736-17-0x0000000000490000-0x000000000049E000-memory.dmp

memory/2736-18-0x0000000000540000-0x000000000054C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat

MD5 e426c43551a7808b57736948b4c41b86
SHA1 4241f92961addbe9f4345a83870d96ab1d4a79de
SHA256 2e5c1c70b6232b6a108a14c01d1ec5c7d5b2b4699d952fd0447de01a90dcc175
SHA512 522681bdd8961d8c2c0abc9a2aaeda810a0b9b80451317e6c378eb0581b73f35b6ae5efc93e4483c18885c276efafa52a5b00f9c798eae1484053161d7f29582

memory/2480-34-0x00000000009C0000-0x0000000000B1C000-memory.dmp

memory/2480-35-0x0000000000450000-0x0000000000462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:45

Reported

2024-06-03 03:48

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\smss.exe\", \"C:\\ProviderInto\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\ProviderInto\blocksurrogate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\taskhostw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\INF\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\INF\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ProviderInto\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ProviderInto\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\smss.exe C:\ProviderInto\blocksurrogate.exe N/A
File opened for modification C:\Windows\INF\smss.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\INF\69ddcba757bf72 C:\ProviderInto\blocksurrogate.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProviderInto\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProviderInto\blocksurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\ProviderInto\taskhostw.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProviderInto\bg4vLJUaDkf5tC.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProviderInto\NmoUHUSCIv.bat" "

C:\ProviderInto\blocksurrogate.exe

"C:\ProviderInto\blocksurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\INF\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\ProviderInto\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProviderInto\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\ProviderInto\taskhostw.exe'" /rl HIGHEST /f

C:\ProviderInto\taskhostw.exe

"C:\ProviderInto\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a0990228.xsph.ru udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp

Files

C:\ProviderInto\bg4vLJUaDkf5tC.vbe

MD5 7f1bd72e83931ae16e0939d3dbc24d5b
SHA1 8e4ebd32d84a2e9e415c86b82332cf467e8ff1ab
SHA256 3478b04d7b9a3accf9d74e14f39493a5802938dbc774b2946a4c810ad3ee94af
SHA512 d22cad0ce50bfd7fd81c9b067d8388765f51d3fbe406e9008cce04fd0863e591781f26b6259a4b5c528ece7696f7ce3997720961582143ec5627306cce48c57c

C:\ProviderInto\NmoUHUSCIv.bat

MD5 f6f5d0c8f6feac0cb30c89fd1657cb64
SHA1 be50cec1500209cf68fe55f56b9dcc340546f454
SHA256 ea164f49511be36687b6c8aba7115701c6dd583f58589d948a72ea12de1c672e
SHA512 69a7947e16c893818a04887bf8b2e4a8cd22ad91ec9bfaa603c4eec99204c762d6d46493b0298520419f9818e2459ae372a8876b18f470b9138a1fb80f6ad258

C:\ProviderInto\blocksurrogate.exe

MD5 7ca99a0ca6db34fcfa842e5f6c203c94
SHA1 cf1a8e002cdd663e810281ff2b9093ddfa9527d0
SHA256 9de7ec4d1da007ad17d08ae860b474fec5ab46dd834584ba9fb36ff8a00b52f0
SHA512 17ae7000770c2f2e7918fad9e202c033bcf3c92490ca04f955142abe164b0583ac22a3659f4dc120643df8c51a9d11b832071dfe66fe2032d6d778d3d4b53a33

memory/4372-12-0x00007FFFD3593000-0x00007FFFD3595000-memory.dmp

memory/4372-13-0x0000000000950000-0x0000000000AAC000-memory.dmp

memory/4372-14-0x0000000002B90000-0x0000000002BAC000-memory.dmp

memory/4372-15-0x000000001BC80000-0x000000001BCD0000-memory.dmp

memory/4372-16-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

memory/4372-17-0x0000000001380000-0x0000000001392000-memory.dmp

memory/4372-18-0x000000001C330000-0x000000001C858000-memory.dmp

memory/4372-19-0x000000001BC30000-0x000000001BC3E000-memory.dmp

memory/4372-20-0x000000001BC40000-0x000000001BC4C000-memory.dmp

memory/4592-36-0x0000000002640000-0x0000000002652000-memory.dmp