Overview

overview

10

Static

static

3

BridgeRevi...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2023, 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BridgeReview_protected.exe

  • Size

    2.8MB

  • MD5

    fefd90a570c93a0a2ec4838ad5e077f0

  • SHA1

    81c0a7c797cd74e639ff97ecbdfba368549c6bb2

  • SHA256

    bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

  • SHA512

    f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

  • SSDEEP

    49152:Y9JYJBVie9pMadBi6ZGLXIE/3sT1DS8f9rIxCpSvHusz6fm26n9qdMg4B7i6:zJB/bbiBI31D5f9PkvOaPnDB7i6

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BridgeReview_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\BridgeReview_protected.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:1476
        • C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
          "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1060
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2736

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        Filesize

        2.8MB

        MD5

        fefd90a570c93a0a2ec4838ad5e077f0

        SHA1

        81c0a7c797cd74e639ff97ecbdfba368549c6bb2

        SHA256

        bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

        SHA512

        f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

        Download Submit

      • C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        Filesize

        2.8MB

        MD5

        fefd90a570c93a0a2ec4838ad5e077f0

        SHA1

        81c0a7c797cd74e639ff97ecbdfba368549c6bb2

        SHA256

        bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

        SHA512

        f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

        Download Submit

      • C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        Filesize

        2.8MB

        MD5

        fefd90a570c93a0a2ec4838ad5e077f0

        SHA1

        81c0a7c797cd74e639ff97ecbdfba368549c6bb2

        SHA256

        bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

        SHA512

        f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat
        Filesize

        225B

        MD5

        6c425f641403ae9dae881f6c40dcff05

        SHA1

        c57ff87bc81eab666c46395791b1e10066d78449

        SHA256

        954d6299f1aa54d2cfd84b8b0ba0129e5dea5bf6fbaef94928f120b722e4acbb

        SHA512

        73d635cdb58abb2743ac7c992815c1e2601ee519e3c088c0b45710985a43b57f736bba946aa96b2e628190c2a0eb9406a31bd321b075309ba0ccbc3a288940dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp
        Filesize

        500B

        MD5

        8eb84f17f1c134253db29bb3f7cf09f3

        SHA1

        23a8be46ca6ec3019b02c22a8e53c4c6b4b0c7da

        SHA256

        6fc4a73a21ef5103b5ffec9ca526e39c191a4848a76dfb5ed19949a4cfbb0d28

        SHA512

        50d57777850350302f2ef628ac5ceaa6b882340fc82b0945c5d791e409bb71bf5aa89bf5eabadaf47334634b1d05b4b12c52fce4cb085ec08b097c9b48ee81e2

        Download Submit

      • memory/1060-169-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-167-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-168-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-166-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-157-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-158-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-159-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-163-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-164-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-165-0x000001B03B8B0000-0x000001B03B8B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2916-138-0x0000000009430000-0x00000000094C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2916-141-0x00000000094D0000-0x0000000009536000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2916-155-0x0000000000CE0000-0x000000000124A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/2916-133-0x0000000000CE0000-0x000000000124A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/2916-137-0x0000000006C20000-0x0000000006C70000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2916-136-0x0000000006150000-0x0000000006160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2916-135-0x0000000006CA0000-0x0000000007244000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2916-134-0x0000000000CE0000-0x000000000124A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/3184-173-0x0000000000FA0000-0x000000000150A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/3184-174-0x0000000000FA0000-0x000000000150A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/3184-175-0x0000000000FA0000-0x000000000150A000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/3184-178-0x0000000000FA0000-0x000000000150A000-memory.dmp

        Filesize

        5.4MB

        Download