Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 13:24
Static task
static1
Behavioral task
behavioral1
Sample
BridgeReview_protected.exe
Resource
win10v2004-20230703-en
General
-
Target
BridgeReview_protected.exe
-
Size
2.8MB
-
MD5
fefd90a570c93a0a2ec4838ad5e077f0
-
SHA1
81c0a7c797cd74e639ff97ecbdfba368549c6bb2
-
SHA256
bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5
-
SHA512
f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5
-
SSDEEP
49152:Y9JYJBVie9pMadBi6ZGLXIE/3sT1DS8f9rIxCpSvHusz6fm26n9qdMg4B7i6:zJB/bbiBI31D5f9PkvOaPnDB7i6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 2044 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2044 schtasks.exe 88 -
resource yara_rule behavioral1/memory/2916-134-0x0000000000CE0000-0x000000000124A000-memory.dmp dcrat behavioral1/memory/2916-155-0x0000000000CE0000-0x000000000124A000-memory.dmp dcrat behavioral1/memory/3184-173-0x0000000000FA0000-0x000000000150A000-memory.dmp dcrat behavioral1/memory/3184-175-0x0000000000FA0000-0x000000000150A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation BridgeReview_protected.exe -
Executes dropped EXE 1 IoCs
pid Process 3184 csrss.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ipinfo.io 34 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2916 BridgeReview_protected.exe 2916 BridgeReview_protected.exe 3184 csrss.exe 3184 csrss.exe 3184 csrss.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe BridgeReview_protected.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe BridgeReview_protected.exe File created C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e BridgeReview_protected.exe File created C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe BridgeReview_protected.exe File created C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115 BridgeReview_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1540 schtasks.exe 2476 schtasks.exe 2924 schtasks.exe 1044 schtasks.exe 1384 schtasks.exe 3488 schtasks.exe 1444 schtasks.exe 1996 schtasks.exe 432 schtasks.exe 3920 schtasks.exe 1468 schtasks.exe 2544 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings BridgeReview_protected.exe Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 BridgeReview_protected.exe 2916 BridgeReview_protected.exe 2916 BridgeReview_protected.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 3184 csrss.exe 3184 csrss.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 3184 csrss.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 3184 csrss.exe 3184 csrss.exe 3184 csrss.exe 3184 csrss.exe 1060 taskmgr.exe 1060 taskmgr.exe 3184 csrss.exe 3184 csrss.exe 3184 csrss.exe 3184 csrss.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1060 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2916 BridgeReview_protected.exe Token: SeDebugPrivilege 1060 taskmgr.exe Token: SeSystemProfilePrivilege 1060 taskmgr.exe Token: SeCreateGlobalPrivilege 1060 taskmgr.exe Token: SeDebugPrivilege 3184 csrss.exe Token: 33 1060 taskmgr.exe Token: SeIncBasePriorityPrivilege 1060 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe 1060 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2916 BridgeReview_protected.exe 3184 csrss.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2916 wrote to memory of 5112 2916 BridgeReview_protected.exe 102 PID 2916 wrote to memory of 5112 2916 BridgeReview_protected.exe 102 PID 2916 wrote to memory of 5112 2916 BridgeReview_protected.exe 102 PID 5112 wrote to memory of 4248 5112 cmd.exe 105 PID 5112 wrote to memory of 4248 5112 cmd.exe 105 PID 5112 wrote to memory of 4248 5112 cmd.exe 105 PID 4248 wrote to memory of 1476 4248 w32tm.exe 106 PID 4248 wrote to memory of 1476 4248 w32tm.exe 106 PID 5112 wrote to memory of 3184 5112 cmd.exe 108 PID 5112 wrote to memory of 3184 5112 cmd.exe 108 PID 5112 wrote to memory of 3184 5112 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BridgeReview_protected.exe"C:\Users\Admin\AppData\Local\Temp\BridgeReview_protected.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:1476
-
-
-
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5fefd90a570c93a0a2ec4838ad5e077f0
SHA181c0a7c797cd74e639ff97ecbdfba368549c6bb2
SHA256bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5
SHA512f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5
-
Filesize
2.8MB
MD5fefd90a570c93a0a2ec4838ad5e077f0
SHA181c0a7c797cd74e639ff97ecbdfba368549c6bb2
SHA256bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5
SHA512f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5
-
Filesize
2.8MB
MD5fefd90a570c93a0a2ec4838ad5e077f0
SHA181c0a7c797cd74e639ff97ecbdfba368549c6bb2
SHA256bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5
SHA512f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5
-
Filesize
225B
MD56c425f641403ae9dae881f6c40dcff05
SHA1c57ff87bc81eab666c46395791b1e10066d78449
SHA256954d6299f1aa54d2cfd84b8b0ba0129e5dea5bf6fbaef94928f120b722e4acbb
SHA51273d635cdb58abb2743ac7c992815c1e2601ee519e3c088c0b45710985a43b57f736bba946aa96b2e628190c2a0eb9406a31bd321b075309ba0ccbc3a288940dd
-
Filesize
500B
MD58eb84f17f1c134253db29bb3f7cf09f3
SHA123a8be46ca6ec3019b02c22a8e53c4c6b4b0c7da
SHA2566fc4a73a21ef5103b5ffec9ca526e39c191a4848a76dfb5ed19949a4cfbb0d28
SHA51250d57777850350302f2ef628ac5ceaa6b882340fc82b0945c5d791e409bb71bf5aa89bf5eabadaf47334634b1d05b4b12c52fce4cb085ec08b097c9b48ee81e2