dcrat | 2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80

Analysis

max time kernel
124s
max time network
126s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanCrack.exe
Size

1.7MB
MD5

062e3b4cd1878667da10f08bdd209dd6
SHA1

c6d785f9df07b202f2db280016c5773092dd111a
SHA256

2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80
SHA512

6e598e330cb1c9db77edca1ea51d8aaa1939278a3ba480e2eb922a8b0f17b28a768150dbdcf660ae51468967dd447580bc68bf428148ea1ccecec85c67719fd6
SSDEEP

49152:3BIjEaf0EC0bEvDC3B6Bo2UPjAgAecjJl/ud:xQEwvAC3oUPjuRlmd

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Default\\Recent\\fontdrvhost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Default\\Recent\\fontdrvhost.exe\", \"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3912	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
460	powershell.exe
3472	powershell.exe
1672	powershell.exe
1084	powershell.exe
4536	powershell.exe
4776	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	ProviderserverRuntimeperfcommon.exe

Executes dropped EXE 2 IoCs

pid	Process
3304	ProviderserverRuntimeperfcommon.exe
2148	OfficeClickToRun.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\OfficeClickToRun.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Recent\\fontdrvhost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\unsecapp.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\smss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Recent\\fontdrvhost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD47AD933FA2E46BFA73C1D4C33F7FB4E.TMP	csc.exe
File created	\??\c:\Windows\System32\gl7s3v.exe	csc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\69ddcba757bf72	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\unsecapp.exe	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\29c1c3cc0f7685	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\e6c9b481da804f	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\smss.exe	ProviderserverRuntimeperfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanCrack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2976	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	NursultanCrack.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	ProviderserverRuntimeperfcommon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2976	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe
320	schtasks.exe
1564	schtasks.exe
4316	schtasks.exe
4604	schtasks.exe
3600	schtasks.exe
2464	schtasks.exe
1848	schtasks.exe
1756	schtasks.exe
2156	schtasks.exe
4508	schtasks.exe
4348	schtasks.exe
2976	schtasks.exe
3736	schtasks.exe
3104	schtasks.exe
3084	schtasks.exe
3356	schtasks.exe
5044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe
3304	ProviderserverRuntimeperfcommon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	ProviderserverRuntimeperfcommon.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	powershell.exe
Token: SeSecurityPrivilege	460	powershell.exe
Token: SeTakeOwnershipPrivilege	460	powershell.exe
Token: SeLoadDriverPrivilege	460	powershell.exe
Token: SeSystemProfilePrivilege	460	powershell.exe
Token: SeSystemtimePrivilege	460	powershell.exe
Token: SeProfSingleProcessPrivilege	460	powershell.exe
Token: SeIncBasePriorityPrivilege	460	powershell.exe
Token: SeCreatePagefilePrivilege	460	powershell.exe
Token: SeBackupPrivilege	460	powershell.exe
Token: SeRestorePrivilege	460	powershell.exe
Token: SeShutdownPrivilege	460	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeSystemEnvironmentPrivilege	460	powershell.exe
Token: SeRemoteShutdownPrivilege	460	powershell.exe
Token: SeUndockPrivilege	460	powershell.exe
Token: SeManageVolumePrivilege	460	powershell.exe
Token: 33	460	powershell.exe
Token: 34	460	powershell.exe
Token: 35	460	powershell.exe
Token: 36	460	powershell.exe
Token: SeIncreaseQuotaPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeTakeOwnershipPrivilege	4536	powershell.exe
Token: SeLoadDriverPrivilege	4536	powershell.exe
Token: SeSystemProfilePrivilege	4536	powershell.exe
Token: SeSystemtimePrivilege	4536	powershell.exe
Token: SeProfSingleProcessPrivilege	4536	powershell.exe
Token: SeIncBasePriorityPrivilege	4536	powershell.exe
Token: SeCreatePagefilePrivilege	4536	powershell.exe
Token: SeBackupPrivilege	4536	powershell.exe
Token: SeRestorePrivilege	4536	powershell.exe
Token: SeShutdownPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeSystemEnvironmentPrivilege	4536	powershell.exe
Token: SeRemoteShutdownPrivilege	4536	powershell.exe
Token: SeUndockPrivilege	4536	powershell.exe
Token: SeManageVolumePrivilege	4536	powershell.exe
Token: 33	4536	powershell.exe
Token: 34	4536	powershell.exe
Token: 35	4536	powershell.exe
Token: 36	4536	powershell.exe
Token: SeIncreaseQuotaPrivilege	1084	powershell.exe
Token: SeSecurityPrivilege	1084	powershell.exe
Token: SeTakeOwnershipPrivilege	1084	powershell.exe
Token: SeLoadDriverPrivilege	1084	powershell.exe
Token: SeSystemProfilePrivilege	1084	powershell.exe
Token: SeSystemtimePrivilege	1084	powershell.exe
Token: SeProfSingleProcessPrivilege	1084	powershell.exe
Token: SeIncBasePriorityPrivilege	1084	powershell.exe
Token: SeCreatePagefilePrivilege	1084	powershell.exe
Token: SeBackupPrivilege	1084	powershell.exe
Token: SeRestorePrivilege	1084	powershell.exe
Token: SeShutdownPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeSystemEnvironmentPrivilege	1084	powershell.exe
Token: SeRemoteShutdownPrivilege	1084	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 5108	4868	NursultanCrack.exe	83
PID 4868 wrote to memory of 5108	4868	NursultanCrack.exe	83
PID 4868 wrote to memory of 5108	4868	NursultanCrack.exe	83
PID 5108 wrote to memory of 4068	5108	WScript.exe	91
PID 5108 wrote to memory of 4068	5108	WScript.exe	91
PID 5108 wrote to memory of 4068	5108	WScript.exe	91
PID 4068 wrote to memory of 3304	4068	cmd.exe	93
PID 4068 wrote to memory of 3304	4068	cmd.exe	93
PID 3304 wrote to memory of 3252	3304	ProviderserverRuntimeperfcommon.exe	97
PID 3304 wrote to memory of 3252	3304	ProviderserverRuntimeperfcommon.exe	97
PID 3252 wrote to memory of 3616	3252	csc.exe	99
PID 3252 wrote to memory of 3616	3252	csc.exe	99
PID 3304 wrote to memory of 4776	3304	ProviderserverRuntimeperfcommon.exe	115
PID 3304 wrote to memory of 4776	3304	ProviderserverRuntimeperfcommon.exe	115
PID 3304 wrote to memory of 4536	3304	ProviderserverRuntimeperfcommon.exe	116
PID 3304 wrote to memory of 4536	3304	ProviderserverRuntimeperfcommon.exe	116
PID 3304 wrote to memory of 1084	3304	ProviderserverRuntimeperfcommon.exe	117
PID 3304 wrote to memory of 1084	3304	ProviderserverRuntimeperfcommon.exe	117
PID 3304 wrote to memory of 3472	3304	ProviderserverRuntimeperfcommon.exe	118
PID 3304 wrote to memory of 3472	3304	ProviderserverRuntimeperfcommon.exe	118
PID 3304 wrote to memory of 460	3304	ProviderserverRuntimeperfcommon.exe	119
PID 3304 wrote to memory of 460	3304	ProviderserverRuntimeperfcommon.exe	119
PID 3304 wrote to memory of 1672	3304	ProviderserverRuntimeperfcommon.exe	120
PID 3304 wrote to memory of 1672	3304	ProviderserverRuntimeperfcommon.exe	120
PID 3304 wrote to memory of 4904	3304	ProviderserverRuntimeperfcommon.exe	127
PID 3304 wrote to memory of 4904	3304	ProviderserverRuntimeperfcommon.exe	127
PID 4904 wrote to memory of 2632	4904	cmd.exe	129
PID 4904 wrote to memory of 2632	4904	cmd.exe	129
PID 4904 wrote to memory of 2976	4904	cmd.exe	130
PID 4904 wrote to memory of 2976	4904	cmd.exe	130
PID 4904 wrote to memory of 2148	4904	cmd.exe	133
PID 4904 wrote to memory of 2148	4904	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe
      "C:\PortcomproviderMonitor/ProviderserverRuntimeperfcommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z4mcs25o\z4mcs25o.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2798.tmp" "c:\Windows\System32\CSCD47AD933FA2E46BFA73C1D4C33F7FB4E.TMP"
        6⤵
        
        PID:3616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UFTY7EemqG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2632
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
      - C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe"
        6⤵
        Executes dropped EXE
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 8 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommon" /sc ONLOGON /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 7 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat

Filesize
106B

MD5
94909fd684f66eecfdac274e00d5a363

SHA1
fc11a50df025ba0328607f63d78faf777e5766d4

SHA256
4d93125e77e0240100adfd50d5599c0b65f3903a0df5e390361d9815458674af

SHA512
f79dd275cbb96ee0f1ff9a5df479adb300644ac26d28785d8ab17ae5d95670cf388cce2d9ea4ef8454f9287e3641fe5ad826fab3596c765d68af2301adb2a9f1

Download Submit
C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe

Filesize
1.9MB

MD5
f03f8a942b3ec90eb92280717f3c7394

SHA1
fea40f92b76757c2259d486b0ea2d138e9efc02c

SHA256
4933a81b1bb2b13cda06a4941791b30d1f663ff9f47ec15b09cd34d7f0c1c92a

SHA512
a74dbc33a0c2e6c6043e148c539d4a63602ba646eb2830c604ea2b186fa9d235c7aebe440ff453c29220ed19b63665ebd9a83b8bb6c02383e14453eb1645fae8

Download Submit
C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe

Filesize
228B

MD5
8f57fc07cea683f126f6a490d3e1f0c9

SHA1
9e28edb72eaeee5be52030dc9a99e9dbb6963cd7

SHA256
c3891378665c83eb627171ba132a9c4f596d3b3394765a75fe86636b4d50f63c

SHA512
a79a82e8c496758e1473fd7dc365d75ba2a638d9718de6a1dbb6249b2d87abe2461ad975bf9758fb2f04a84ced8820a2990b619180dbdee0504d8da714cbcaef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2798.tmp

Filesize
1KB

MD5
7f76e4d853aa008497a58ba808149c7d

SHA1
d6adcf95ae234cf0004b5264c79abf256af07a8d

SHA256
3d952dd061ed3044c0f52177bd6b41bc854227b5ab31d285f11f99a8a0df4e0a

SHA512
62b6ef75619b57a7cb56de267c58a5dccbefe0ddc1401643720e7f05071de6c1749b018e210692a608b14b15e6e86aaba2be33a654bddc610f46f2d874a8afec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UFTY7EemqG.bat

Filesize
194B

MD5
e13ff2367e58d1105bc26225287432da

SHA1
75717e1c16b51e45aeedcfec2fdddd288e2f6d63

SHA256
25f609af29254988480a96cce7a35edfe899c036fb6cde1c66b6c55398ef636c

SHA512
885cf3c20d730da0932754c53c3c83b4a07257878300f5025571b63657f273951d25738c04ecd4c3d0bb433429ac8c3db97c026249b055b67bc71edaafa2e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bydzp531.ytw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z4mcs25o\z4mcs25o.0.cs

Filesize
398B

MD5
3572250aa03b1e153912ed791dcb08fb

SHA1
7acce6fa730c9fa3b09db84e5c5c13cdbe387d24

SHA256
f1cb05760ed1280e6a8457999fe6e534c755fc3feb5514a22b24173d7ee1018a

SHA512
f658cd6a79a73c107be17ce8b712121a1d16556b72ddaec9fb04fec37bc91af5fb4db2d2cf579fecf9b852289e8b6919f6c9948a361335fdf03a7299a1f70fb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z4mcs25o\z4mcs25o.cmdline

Filesize
235B

MD5
df5880ad7090d70d1c207e034a3b0bc8

SHA1
96a9de9f64c1821fe25cd39cc77ea89dc1059728

SHA256
d3c3bdaaced067546f7341a51c963f64307d4ee5b094091cf6f19409204dc292

SHA512
c4293c4a351477a0efcf29e8584222a76b49f282eb918445b38134b30f287967d76a93c49220b2a704763d393e2bb877d776b58cd4b46d156987441b4c48af0a

Download Submit
\??\c:\Windows\System32\CSCD47AD933FA2E46BFA73C1D4C33F7FB4E.TMP

Filesize
1KB

MD5
5b58fb8248746f1db04ad2d8f13d15ec

SHA1
dc2fd69ae3111e0dce9034a2fed53dce5873cd14

SHA256
475f13f3048c83e93b4fd63d0c3977711855ab2d81d2854e4f8de99d8952d18e

SHA512
6f2e3f4fd2b5bc365c5e7cc14331167ebb29a20970ce582d2b9386b05abe219bba29109b005f5c7aad5a0e2f3bfe3375811753c8a70b5c872fb9ff8481a40d0c

Download Submit
memory/2148-132-0x000000001D140000-0x000000001D254000-memory.dmp

Filesize
1.1MB

Download
memory/3304-20-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/3304-29-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/3304-27-0x0000000002530000-0x000000000253E000-memory.dmp

Filesize
56KB

Download
memory/3304-25-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/3304-23-0x0000000002580000-0x0000000002598000-memory.dmp

Filesize
96KB

Download
memory/3304-21-0x000000001B420000-0x000000001B470000-memory.dmp

Filesize
320KB

Download
memory/3304-18-0x00000000024D0000-0x00000000024DE000-memory.dmp

Filesize
56KB

Download
memory/3304-16-0x0000000000230000-0x0000000000420000-memory.dmp

Filesize
1.9MB

Download
memory/3304-15-0x00007FFCFB743000-0x00007FFCFB745000-memory.dmp

Filesize
8KB

Download
memory/4776-65-0x00000217E90C0000-0x00000217E90E2000-memory.dmp

Filesize
136KB

Download