Malware Analysis Report

2024-10-10 12:59

Sample ID 240603-lzcbqaag2y
Target NurikCrackNewVersion.exe
SHA256 9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772

Threat Level: Known bad

The file NurikCrackNewVersion.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:57

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:57

Reported

2024-06-03 10:00

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\System.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7 C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\System.exe C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\27d1bcfc3c54e0 C:\netSvc\Msproviderserver.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\netSvc\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\netSvc\Msproviderserver.exe N/A
Token: SeDebugPrivilege N/A C:\netSvc\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 2552 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 2552 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 2552 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 2860 wrote to memory of 1624 N/A C:\netSvc\Msproviderserver.exe C:\Windows\System32\cmd.exe
PID 2860 wrote to memory of 1624 N/A C:\netSvc\Msproviderserver.exe C:\Windows\System32\cmd.exe
PID 2860 wrote to memory of 1624 N/A C:\netSvc\Msproviderserver.exe C:\Windows\System32\cmd.exe
PID 1624 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1624 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1624 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1624 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\netSvc\System.exe
PID 1624 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\netSvc\System.exe
PID 1624 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\netSvc\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe

"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\netSvc\1TCP8vvjtWtNky92sAt.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\netSvc\WsWYaVY80xOTEmwO5LX.bat" "

C:\netSvc\Msproviderserver.exe

"C:\netSvc\Msproviderserver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\netSvc\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\netSvc\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\netSvc\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ALd2QSvdoh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\netSvc\System.exe

"C:\netSvc\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 cs71211.tw1.ru udp
RU 185.114.247.232:80 cs71211.tw1.ru tcp
US 8.8.8.8:53 vh422.timeweb.ru udp
RU 185.114.247.232:443 vh422.timeweb.ru tcp
RU 185.114.247.232:443 vh422.timeweb.ru tcp

Files

C:\netSvc\1TCP8vvjtWtNky92sAt.bat

MD5 9e97eb7b4fe7e7b2978f9ebdf6896f2d
SHA1 cdccef4e71f279347ff25fea52f53d5b640b0aea
SHA256 9d89a31f0e7b7d9fe52bf475b00ffb9fe24ea28d0905229467ee072246bb413b
SHA512 8a50d83ac64ed0c96a1a4db4e18a909e93d108b0d35481340e6a829d914fad604b9a0ef860d902b978a475fd15e4dca304db6952aa51fe8cf2010c2319887c91

C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe

MD5 d443149e014f135240a9aeca27fbfe1e
SHA1 3f541782e2333dc7aced3e77732f198ea37113cc
SHA256 bf426dcc90e02082ddaeee361aaa3deadd6249eed5156be07bd763086887793b
SHA512 8d3a16b1b608928f31ab6f0db12449dbb07b449e8a25647ebfb2671d9f12eb661b33a11b03f0c4771615f1afde3c70bde350df06d17a3273b4f1f5c064d5d381

C:\netSvc\WsWYaVY80xOTEmwO5LX.bat

MD5 e897bc8313657095107640d60d42da83
SHA1 803d583c033182a69af393bd1f239a2c23b76fb0
SHA256 5acdb6f1284aaa5e072c09bd68de498d21c344910ab2c2ccf83257305997c05f
SHA512 44d1d8ed11d4158cde19e7501fb2467e2c274f1a16f7e220d0ca163d8af8167582084954d5238b8c3485ebde903a24658dd608c9da1469a1864537f1cec26e1d

C:\netSvc\Msproviderserver.exe

MD5 4e4088d5176e77688154f64545051d8b
SHA1 3020231a4134839b3970c3cb10ed5d87ea174459
SHA256 046956b1eb9b2fc738698aa8222744b07c11e104e20a94d764ed7b1ac133fac0
SHA512 49599228d257f18aa2c0931569ea4eb917d0e793e30906940e521be6a5280580aee57bc96c62645a61241fb2843103da26fa3f443d7a724ceaaa4486c401d2a5

memory/2860-29-0x0000000000C50000-0x0000000000D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ALd2QSvdoh.bat

MD5 7d256dc6bcba698c9748966ceddb7eda
SHA1 70cdf11d22945c6fdaddf71a31f675b568952719
SHA256 7573b14031d79ec5d87e0f7c0b1b2deff4eb8ed7a6892bc32e861b15d03cdae3
SHA512 f10ef471ae5f8f11f40f376251e96f66b01ef13461093de039829299b91ac9bee92f85c44734fcaa9daeb134d747291d4bf07eaeff910404de83ec07aba09c54

memory/2316-47-0x0000000001240000-0x0000000001316000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6955.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:57

Reported

2024-06-03 10:00

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\netSvc\Msproviderserver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\netSvc\Msproviderserver.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\5b884080fd4f94 C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe C:\netSvc\Msproviderserver.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6cb0b6c459d5d3 C:\netSvc\Msproviderserver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe C:\netSvc\Msproviderserver.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\088424020bedd6 C:\netSvc\Msproviderserver.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\netSvc\Msproviderserver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\netSvc\Msproviderserver.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 1020 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 1020 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\WScript.exe
PID 1020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 3644 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\netSvc\Msproviderserver.exe
PID 2896 wrote to memory of 1052 N/A C:\netSvc\Msproviderserver.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1052 N/A C:\netSvc\Msproviderserver.exe C:\Windows\System32\cmd.exe
PID 1052 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1052 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1052 wrote to memory of 4032 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 1052 wrote to memory of 4032 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\fontdrvhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe

"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\netSvc\1TCP8vvjtWtNky92sAt.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\netSvc\WsWYaVY80xOTEmwO5LX.bat" "

C:\netSvc\Msproviderserver.exe

"C:\netSvc\Msproviderserver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\netSvc\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\netSvc\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\netSvc\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1DlF44ejOw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\fontdrvhost.exe

"C:\Recovery\WindowsRE\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 cs71211.tw1.ru udp
RU 185.114.247.232:80 cs71211.tw1.ru tcp
US 8.8.8.8:53 vh422.timeweb.ru udp
RU 185.114.247.232:443 vh422.timeweb.ru tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 232.247.114.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe

MD5 d443149e014f135240a9aeca27fbfe1e
SHA1 3f541782e2333dc7aced3e77732f198ea37113cc
SHA256 bf426dcc90e02082ddaeee361aaa3deadd6249eed5156be07bd763086887793b
SHA512 8d3a16b1b608928f31ab6f0db12449dbb07b449e8a25647ebfb2671d9f12eb661b33a11b03f0c4771615f1afde3c70bde350df06d17a3273b4f1f5c064d5d381

C:\netSvc\1TCP8vvjtWtNky92sAt.bat

MD5 9e97eb7b4fe7e7b2978f9ebdf6896f2d
SHA1 cdccef4e71f279347ff25fea52f53d5b640b0aea
SHA256 9d89a31f0e7b7d9fe52bf475b00ffb9fe24ea28d0905229467ee072246bb413b
SHA512 8a50d83ac64ed0c96a1a4db4e18a909e93d108b0d35481340e6a829d914fad604b9a0ef860d902b978a475fd15e4dca304db6952aa51fe8cf2010c2319887c91

C:\netSvc\WsWYaVY80xOTEmwO5LX.bat

MD5 e897bc8313657095107640d60d42da83
SHA1 803d583c033182a69af393bd1f239a2c23b76fb0
SHA256 5acdb6f1284aaa5e072c09bd68de498d21c344910ab2c2ccf83257305997c05f
SHA512 44d1d8ed11d4158cde19e7501fb2467e2c274f1a16f7e220d0ca163d8af8167582084954d5238b8c3485ebde903a24658dd608c9da1469a1864537f1cec26e1d

C:\netSvc\Msproviderserver.exe

MD5 4e4088d5176e77688154f64545051d8b
SHA1 3020231a4134839b3970c3cb10ed5d87ea174459
SHA256 046956b1eb9b2fc738698aa8222744b07c11e104e20a94d764ed7b1ac133fac0
SHA512 49599228d257f18aa2c0931569ea4eb917d0e793e30906940e521be6a5280580aee57bc96c62645a61241fb2843103da26fa3f443d7a724ceaaa4486c401d2a5

memory/2896-17-0x0000000000770000-0x0000000000846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DlF44ejOw.bat

MD5 233ba28e8a6bca10941f6f31f1b69917
SHA1 c5c728f047cd41600c815b457806039833bc3798
SHA256 c73960154ab1a20d981574d6d7e6d44fa962172098316b89da31a409e022d3ce
SHA512 231d3ca46979827b2e2cb17ba72d8178350e261109505d2f363de148045e7b72cc3c2fa2a27122357391844d60c9fb50e98de3565e423d7be194c032c13e052c