dcrat | 2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanCrack.exe
Size

1.7MB
MD5

062e3b4cd1878667da10f08bdd209dd6
SHA1

c6d785f9df07b202f2db280016c5773092dd111a
SHA256

2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80
SHA512

6e598e330cb1c9db77edca1ea51d8aaa1939278a3ba480e2eb922a8b0f17b28a768150dbdcf660ae51468967dd447580bc68bf428148ea1ccecec85c67719fd6
SSDEEP

49152:3BIjEaf0EC0bEvDC3B6Bo2UPjAgAecjJl/ud:xQEwvAC3oUPjuRlmd

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\", \"C:\\Users\\Default\\Favorites\\csrss.exe\", \"C:\\PortcomproviderMonitor\\cmd.exe\", \"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\", \"C:\\Users\\Default\\Favorites\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\", \"C:\\Users\\Default\\Favorites\\csrss.exe\", \"C:\\PortcomproviderMonitor\\cmd.exe\""	ProviderserverRuntimeperfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2728	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2728	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2500	powershell.exe
1872	powershell.exe
1304	powershell.exe
944	powershell.exe
1940	powershell.exe
828	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

ProviderserverRuntimeperfcommon.exesppsvc.exe

pid	Process
564	ProviderserverRuntimeperfcommon.exe
2480	sppsvc.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2176	cmd.exe
2176	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\ja-JP\\winlogon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\ja-JP\\winlogon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Favorites\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Favorites\\csrss.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortcomproviderMonitor\\cmd.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\ja-JP\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortcomproviderMonitor\\cmd.exe\""	ProviderserverRuntimeperfcommon.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA1A7045D8CBD43568674F5132B43F751.TMP	csc.exe
File created	\??\c:\Windows\System32\gxbog2.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\0a1fd5f707cd16	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe	ProviderserverRuntimeperfcommon.exe

Drops file in Windows directory 2 IoCs

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
File created	C:\Windows\ja-JP\winlogon.exe	ProviderserverRuntimeperfcommon.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	ProviderserverRuntimeperfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NursultanCrack.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanCrack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2800	schtasks.exe
1976	schtasks.exe
2736	schtasks.exe
1308	schtasks.exe
1924	schtasks.exe
2872	schtasks.exe
2492	schtasks.exe
1632	schtasks.exe
336	schtasks.exe
1380	schtasks.exe
1128	schtasks.exe
1436	schtasks.exe
1044	schtasks.exe
2648	schtasks.exe
2404	schtasks.exe
1816	schtasks.exe
1640	schtasks.exe
2412	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid	Process
2480	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderserverRuntimeperfcommon.exe

pid	Process
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe
564	ProviderserverRuntimeperfcommon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ProviderserverRuntimeperfcommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exe

description	pid	Process
Token: SeDebugPrivilege	564	ProviderserverRuntimeperfcommon.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2480	sppsvc.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

NursultanCrack.exeWScript.execmd.exeProviderserverRuntimeperfcommon.execsc.execmd.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 2228	2096	NursultanCrack.exe	31
PID 2096 wrote to memory of 2228	2096	NursultanCrack.exe	31
PID 2096 wrote to memory of 2228	2096	NursultanCrack.exe	31
PID 2096 wrote to memory of 2228	2096	NursultanCrack.exe	31
PID 2228 wrote to memory of 2176	2228	WScript.exe	32
PID 2228 wrote to memory of 2176	2228	WScript.exe	32
PID 2228 wrote to memory of 2176	2228	WScript.exe	32
PID 2228 wrote to memory of 2176	2228	WScript.exe	32
PID 2176 wrote to memory of 564	2176	cmd.exe	34
PID 2176 wrote to memory of 564	2176	cmd.exe	34
PID 2176 wrote to memory of 564	2176	cmd.exe	34
PID 2176 wrote to memory of 564	2176	cmd.exe	34
PID 564 wrote to memory of 1492	564	ProviderserverRuntimeperfcommon.exe	39
PID 564 wrote to memory of 1492	564	ProviderserverRuntimeperfcommon.exe	39
PID 564 wrote to memory of 1492	564	ProviderserverRuntimeperfcommon.exe	39
PID 1492 wrote to memory of 2004	1492	csc.exe	41
PID 1492 wrote to memory of 2004	1492	csc.exe	41
PID 1492 wrote to memory of 2004	1492	csc.exe	41
PID 564 wrote to memory of 2500	564	ProviderserverRuntimeperfcommon.exe	57
PID 564 wrote to memory of 2500	564	ProviderserverRuntimeperfcommon.exe	57
PID 564 wrote to memory of 2500	564	ProviderserverRuntimeperfcommon.exe	57
PID 564 wrote to memory of 828	564	ProviderserverRuntimeperfcommon.exe	58
PID 564 wrote to memory of 828	564	ProviderserverRuntimeperfcommon.exe	58
PID 564 wrote to memory of 828	564	ProviderserverRuntimeperfcommon.exe	58
PID 564 wrote to memory of 1940	564	ProviderserverRuntimeperfcommon.exe	60
PID 564 wrote to memory of 1940	564	ProviderserverRuntimeperfcommon.exe	60
PID 564 wrote to memory of 1940	564	ProviderserverRuntimeperfcommon.exe	60
PID 564 wrote to memory of 944	564	ProviderserverRuntimeperfcommon.exe	61
PID 564 wrote to memory of 944	564	ProviderserverRuntimeperfcommon.exe	61
PID 564 wrote to memory of 944	564	ProviderserverRuntimeperfcommon.exe	61
PID 564 wrote to memory of 1304	564	ProviderserverRuntimeperfcommon.exe	62
PID 564 wrote to memory of 1304	564	ProviderserverRuntimeperfcommon.exe	62
PID 564 wrote to memory of 1304	564	ProviderserverRuntimeperfcommon.exe	62
PID 564 wrote to memory of 1872	564	ProviderserverRuntimeperfcommon.exe	63
PID 564 wrote to memory of 1872	564	ProviderserverRuntimeperfcommon.exe	63
PID 564 wrote to memory of 1872	564	ProviderserverRuntimeperfcommon.exe	63
PID 564 wrote to memory of 1936	564	ProviderserverRuntimeperfcommon.exe	69
PID 564 wrote to memory of 1936	564	ProviderserverRuntimeperfcommon.exe	69
PID 564 wrote to memory of 1936	564	ProviderserverRuntimeperfcommon.exe	69
PID 1936 wrote to memory of 1604	1936	cmd.exe	71
PID 1936 wrote to memory of 1604	1936	cmd.exe	71
PID 1936 wrote to memory of 1604	1936	cmd.exe	71
PID 1936 wrote to memory of 740	1936	cmd.exe	72
PID 1936 wrote to memory of 740	1936	cmd.exe	72
PID 1936 wrote to memory of 740	1936	cmd.exe	72
PID 1936 wrote to memory of 2480	1936	cmd.exe	73
PID 1936 wrote to memory of 2480	1936	cmd.exe	73
PID 1936 wrote to memory of 2480	1936	cmd.exe	73
PID 1936 wrote to memory of 2480	1936	cmd.exe	73
PID 1936 wrote to memory of 2480	1936	cmd.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe
      "C:\PortcomproviderMonitor/ProviderserverRuntimeperfcommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d5hzopxh\d5hzopxh.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2194.tmp" "c:\Windows\System32\CSCA1A7045D8CBD43568674F5132B43F751.TMP"
        6⤵
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\ProviderserverRuntimeperfcommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortcomproviderMonitor\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RrUjad2O3Z.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1604
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:740
      - C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\ProviderserverRuntimeperfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\PortcomproviderMonitor\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortcomproviderMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\PortcomproviderMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 5 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommon" /sc ONLOGON /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 5 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat

Filesize
106B

MD5
94909fd684f66eecfdac274e00d5a363

SHA1
fc11a50df025ba0328607f63d78faf777e5766d4

SHA256
4d93125e77e0240100adfd50d5599c0b65f3903a0df5e390361d9815458674af

SHA512
f79dd275cbb96ee0f1ff9a5df479adb300644ac26d28785d8ab17ae5d95670cf388cce2d9ea4ef8454f9287e3641fe5ad826fab3596c765d68af2301adb2a9f1

Download Submit
C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe

Filesize
228B

MD5
8f57fc07cea683f126f6a490d3e1f0c9

SHA1
9e28edb72eaeee5be52030dc9a99e9dbb6963cd7

SHA256
c3891378665c83eb627171ba132a9c4f596d3b3394765a75fe86636b4d50f63c

SHA512
a79a82e8c496758e1473fd7dc365d75ba2a638d9718de6a1dbb6249b2d87abe2461ad975bf9758fb2f04a84ced8820a2990b619180dbdee0504d8da714cbcaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2194.tmp

Filesize
1KB

MD5
559c530134307d760a3a42cf6f022dc8

SHA1
30cf47b53f576fd768cffabf2e27dedf5a148894

SHA256
afb8e7d9a0fcc3dd35b3e4f2ffd983c09df625b8a5baa67504a1238f52130046

SHA512
cd03efd8a9211b1d490e2e67f8b04639f9a7bab8bf1ea725f68b2ae66ebf41d196a6a1e9b2d79e79f9ca99ba0a6921093bcc9877e4ccfc9fde2913791e9743a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RrUjad2O3Z.bat

Filesize
237B

MD5
29115fbbf19d435f395e3c4725ec4774

SHA1
a951d3069a966ac17e2b80231b487b6a18634b06

SHA256
17374bed3b4b34240e7b432fe3ab3da2d0f6f40700e3027a7393481c7f8d464f

SHA512
6c9cb10a3959ec3a6590953f5fc4da59a6dbd017e596c58a5dd3e43381e5cb9dfb4bd656cdca6dc06e164c86ae8c710197b9872fbac6a096adb5e10b0c328f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0747ab338353729e65e58a0e3286512b

SHA1
e59b14c13f5a5c48c16edabb8d9cdd14cc433da3

SHA256
d4a0a98cc91d543375efa652608a97c7ab860c8ebf4d42c801519e423cfa20b5

SHA512
7fd614426ee8e9b1f665c30f799147b4dee7cf2936c6a14919558ce27c3f43d040ea402bec2719eaf5b87d330e134793e08e83764785720f3fbdcacfa251cb69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d5hzopxh\d5hzopxh.0.cs

Filesize
361B

MD5
29898b4a9885e509261c3ded112d036f

SHA1
7b23dc12c2364ab5570dadf372d7f80d6e73030f

SHA256
cfa70978bdff2ec9399b25e3e7b7d67b64ac341bfb4f7e2a156c0155e0606387

SHA512
29e32066d428b9699752ffa75522580de7d9b1d8cf683ef17394c10dd9d6e2225cd081d241184bb987fee35f6cd9c1efc2a3484b94f916eb33f865c238c74e2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d5hzopxh\d5hzopxh.cmdline

Filesize
235B

MD5
207c63d636d2a7794009b8fcdec731e8

SHA1
06d811500624375e25c54fd5f30a74d170af7636

SHA256
57a4193603ce1749ea47ad7159be80e2444d95b255f591d6dd99e0a547e9dc54

SHA512
185a0195a7a80e050b4c3e040db42fd7e20c842e1c4a3117e2f496e05861a924e9b4dfec3f44402ace7b77c5fb5aceabac0d454044daacbb078fbd68c564032f

Download Submit
\??\c:\Windows\System32\CSCA1A7045D8CBD43568674F5132B43F751.TMP

Filesize
1KB

MD5
dbb2cd021b80875d9c777c705ef845c8

SHA1
3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

SHA256
a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

SHA512
a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

Download Submit
\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe

Filesize
1.9MB

MD5
f03f8a942b3ec90eb92280717f3c7394

SHA1
fea40f92b76757c2259d486b0ea2d138e9efc02c

SHA256
4933a81b1bb2b13cda06a4941791b30d1f663ff9f47ec15b09cd34d7f0c1c92a

SHA512
a74dbc33a0c2e6c6043e148c539d4a63602ba646eb2830c604ea2b186fa9d235c7aebe440ff453c29220ed19b63665ebd9a83b8bb6c02383e14453eb1645fae8

Download Submit
memory/564-15-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/564-25-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/564-23-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/564-21-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/564-19-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/564-17-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/564-13-0x0000000000050000-0x0000000000240000-memory.dmp

Filesize
1.9MB

Download
memory/1304-58-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/1304-69-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2480-87-0x0000000001050000-0x0000000001240000-memory.dmp

Filesize
1.9MB

Download