Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-zsjn4sde6x
Target 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA256 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e

Threat Level: Known bad

The file 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

Process spawned unexpected child process

Modifies WinLogon for persistence

Dcrat family

UAC bypass

DCRat payload

DcRat

DCRat payload

Detects executables packed with SmartAssembly

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 20:58

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 20:58

Reported

2024-05-13 21:01

Platform

win7-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\PLA\Templates\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\PLA\Templates\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\PLA\Templates\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Bridgeserverintocommon\\cmd.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intobroker = "\"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\intobroker = "\"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PLA\\Templates\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Bridgeserverintocommon\\cmd.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PLA\\Templates\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\PLA\Templates\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\PLA\Templates\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\886983d96e3d3e C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Windows Journal\Templates\csrss.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Microsoft Games\Chess\intobroker.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\56085415360792 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Microsoft Games\Chess\dcdb6905e4a371 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\services.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d C:\Bridgeserverintocommon\intobroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\Afternoon\817c8c8ec737a7 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\Fonts\wininit.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\Fonts\56085415360792 C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\PLA\Templates\services.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\PLA\Templates\c5b4cb5e9653cc C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\Media\Afternoon\wscript.exe C:\Bridgeserverintocommon\intobroker.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A
N/A N/A C:\Windows\PLA\Templates\services.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\PLA\Templates\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Bridgeserverintocommon\intobroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\PLA\Templates\services.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 1060 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 2688 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 2688 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 2688 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 2672 wrote to memory of 2708 N/A C:\Bridgeserverintocommon\intobroker.exe C:\Windows\PLA\Templates\services.exe
PID 2672 wrote to memory of 2708 N/A C:\Bridgeserverintocommon\intobroker.exe C:\Windows\PLA\Templates\services.exe
PID 2672 wrote to memory of 2708 N/A C:\Bridgeserverintocommon\intobroker.exe C:\Windows\PLA\Templates\services.exe
PID 2708 wrote to memory of 2888 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 2888 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 2888 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 1824 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 1824 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 1824 N/A C:\Windows\PLA\Templates\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\PLA\Templates\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\PLA\Templates\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\PLA\Templates\services.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe

"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "

C:\Bridgeserverintocommon\intobroker.exe

"C:\Bridgeserverintocommon\intobroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "intobroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f

C:\Windows\PLA\Templates\services.exe

"C:\Windows\PLA\Templates\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed83a9bb-53f3-4788-944a-770ff34ac20c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8e1f47-810e-42c7-8afb-87a7af23927e.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0951529.xsph.ru udp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
RU 141.8.192.169:80 a0951529.xsph.ru tcp

Files

C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe

MD5 8ad651de9eab5382f5aeb6e0a38e22bc
SHA1 c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256 adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA512 6fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a

C:\Bridgeserverintocommon\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat

MD5 9005984f23c241ae6504691edad99db9
SHA1 50ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256 e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512 183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff

\Bridgeserverintocommon\intobroker.exe

MD5 34f09d31d624cddea4794d6b60fb342a
SHA1 21dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256 fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512 e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873

memory/2672-18-0x00000000009F0000-0x0000000000D58000-memory.dmp

memory/2672-19-0x00000000022A0000-0x00000000022AE000-memory.dmp

memory/2672-20-0x00000000022B0000-0x00000000022BE000-memory.dmp

memory/2672-21-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2672-22-0x00000000022D0000-0x00000000022EC000-memory.dmp

memory/2672-23-0x0000000002370000-0x0000000002378000-memory.dmp

memory/2672-24-0x0000000002380000-0x0000000002390000-memory.dmp

memory/2672-25-0x000000001AA00000-0x000000001AA16000-memory.dmp

memory/2672-26-0x000000001AA20000-0x000000001AA2C000-memory.dmp

memory/2672-27-0x000000001AA30000-0x000000001AA42000-memory.dmp

memory/2672-28-0x000000001AA40000-0x000000001AA4C000-memory.dmp

memory/2672-29-0x000000001AA50000-0x000000001AA58000-memory.dmp

memory/2672-30-0x000000001AB60000-0x000000001AB70000-memory.dmp

memory/2672-31-0x000000001AB70000-0x000000001AB7A000-memory.dmp

memory/2672-32-0x000000001B000000-0x000000001B056000-memory.dmp

memory/2672-33-0x000000001AB80000-0x000000001AB8C000-memory.dmp

memory/2672-34-0x000000001AB90000-0x000000001AB98000-memory.dmp

memory/2672-35-0x000000001ABA0000-0x000000001ABAC000-memory.dmp

memory/2672-36-0x000000001B050000-0x000000001B058000-memory.dmp

memory/2672-37-0x000000001B160000-0x000000001B172000-memory.dmp

memory/2672-38-0x000000001B190000-0x000000001B19C000-memory.dmp

memory/2672-39-0x000000001B1A0000-0x000000001B1A8000-memory.dmp

memory/2672-40-0x000000001B1B0000-0x000000001B1BC000-memory.dmp

memory/2672-41-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

memory/2672-42-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

memory/2672-43-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

memory/2672-44-0x000000001B2F0000-0x000000001B2FA000-memory.dmp

memory/2672-45-0x000000001B300000-0x000000001B30E000-memory.dmp

memory/2672-46-0x000000001B310000-0x000000001B318000-memory.dmp

memory/2672-47-0x000000001B320000-0x000000001B32E000-memory.dmp

memory/2672-48-0x000000001B330000-0x000000001B338000-memory.dmp

memory/2672-49-0x000000001B340000-0x000000001B34C000-memory.dmp

memory/2672-50-0x000000001B350000-0x000000001B358000-memory.dmp

memory/2672-51-0x000000001B560000-0x000000001B56A000-memory.dmp

memory/2708-92-0x0000000000D80000-0x00000000010E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ed83a9bb-53f3-4788-944a-770ff34ac20c.vbs

MD5 dee19409427568c5c7d70eb865457ce9
SHA1 508a2a9d0e976e7493ef9ecc4495f500fde6204e
SHA256 d481a6f8a93e67fb1a0e4d6b40e7a6b3c190ecee1662db96c2b6eb9ab167f32c
SHA512 94ab9c18c63a0deb19a9d913c77f45d1076fe05907e61214385e3cb26905426ff8f1c8fc27eefddc44c47879305b68383eeee53cac10f7f1978031cfe89e4dc0

C:\Users\Admin\AppData\Local\Temp\6e8e1f47-810e-42c7-8afb-87a7af23927e.vbs

MD5 9e888e59e647a26ccfc29968bc56466e
SHA1 6c74c59a97b2d94fbb7f4413a494d70baadb7d93
SHA256 9f1815830978894f75f08f4845198dd56c08f7abf6cbf0c2df10647afe46fae8
SHA512 a2c815c9d3c55ff46dcbf662566e7ff90c6d4f8f5d540ebd32e029fa4cb2a4277581b215a4653472d412502217c41fc656c243527df4c8862b66375e6fd8cee7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 20:58

Reported

2024-05-13 21:01

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\", \"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\", \"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\", \"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Bridgeserverintocommon\intobroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Microsoft Office\\msedge.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Microsoft Office\\msedge.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" C:\Bridgeserverintocommon\intobroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\msedge.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Program Files\Microsoft Office\61a52ddc9dd915 C:\Bridgeserverintocommon\intobroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SKB\LanguageModels\dllhost.exe C:\Bridgeserverintocommon\intobroker.exe N/A
File created C:\Windows\SKB\LanguageModels\5940a34987c991 C:\Bridgeserverintocommon\intobroker.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Bridgeserverintocommon\intobroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Bridgeserverintocommon\intobroker.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Bridgeserverintocommon\intobroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4844 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4844 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4844 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe C:\Windows\SysWOW64\WScript.exe
PID 4712 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 4112 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgeserverintocommon\intobroker.exe
PID 1012 wrote to memory of 4844 N/A C:\Bridgeserverintocommon\intobroker.exe C:\Windows\System32\cmd.exe
PID 1012 wrote to memory of 4844 N/A C:\Bridgeserverintocommon\intobroker.exe C:\Windows\System32\cmd.exe
PID 4844 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4844 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4844 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\dllhost.exe
PID 4844 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\dllhost.exe
PID 3528 wrote to memory of 1956 N/A C:\Windows\SKB\LanguageModels\dllhost.exe C:\Windows\System32\WScript.exe
PID 3528 wrote to memory of 1956 N/A C:\Windows\SKB\LanguageModels\dllhost.exe C:\Windows\System32\WScript.exe
PID 3528 wrote to memory of 4448 N/A C:\Windows\SKB\LanguageModels\dllhost.exe C:\Windows\System32\WScript.exe
PID 3528 wrote to memory of 4448 N/A C:\Windows\SKB\LanguageModels\dllhost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Bridgeserverintocommon\intobroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SKB\LanguageModels\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe

"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "

C:\Bridgeserverintocommon\intobroker.exe

"C:\Bridgeserverintocommon\intobroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYJQVhD8a8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SKB\LanguageModels\dllhost.exe

"C:\Windows\SKB\LanguageModels\dllhost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3320 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73e9bcbb-0c3a-45d0-92ab-0e2bc3fbb0fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f270df3-9232-4433-be85-6919e96bea0b.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 a0951529.xsph.ru udp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
US 8.8.8.8:53 169.192.8.141.in-addr.arpa udp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 141.8.192.169:80 a0951529.xsph.ru tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe

MD5 8ad651de9eab5382f5aeb6e0a38e22bc
SHA1 c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256 adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA512 6fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a

C:\Bridgeserverintocommon\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat

MD5 9005984f23c241ae6504691edad99db9
SHA1 50ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256 e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512 183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff

C:\Bridgeserverintocommon\intobroker.exe

MD5 34f09d31d624cddea4794d6b60fb342a
SHA1 21dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256 fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512 e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873

memory/1012-17-0x0000000000C10000-0x0000000000F78000-memory.dmp

memory/1012-18-0x0000000001890000-0x000000000189E000-memory.dmp

memory/1012-19-0x0000000003150000-0x000000000315E000-memory.dmp

memory/1012-21-0x000000001BB60000-0x000000001BB7C000-memory.dmp

memory/1012-20-0x0000000003160000-0x0000000003168000-memory.dmp

memory/1012-22-0x000000001C220000-0x000000001C270000-memory.dmp

memory/1012-25-0x000000001C1D0000-0x000000001C1E6000-memory.dmp

memory/1012-24-0x000000001BB90000-0x000000001BBA0000-memory.dmp

memory/1012-23-0x000000001BB80000-0x000000001BB88000-memory.dmp

memory/1012-26-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

memory/1012-27-0x000000001C1F0000-0x000000001C202000-memory.dmp

memory/1012-28-0x000000001C200000-0x000000001C20C000-memory.dmp

memory/1012-29-0x000000001C380000-0x000000001C388000-memory.dmp

memory/1012-30-0x000000001C490000-0x000000001C4A0000-memory.dmp

memory/1012-31-0x000000001C210000-0x000000001C21A000-memory.dmp

memory/1012-32-0x000000001C390000-0x000000001C3E6000-memory.dmp

memory/1012-33-0x000000001C370000-0x000000001C37C000-memory.dmp

memory/1012-34-0x000000001C3E0000-0x000000001C3E8000-memory.dmp

memory/1012-35-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

memory/1012-36-0x000000001C400000-0x000000001C408000-memory.dmp

memory/1012-37-0x000000001C410000-0x000000001C422000-memory.dmp

memory/1012-38-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

memory/1012-39-0x000000001C440000-0x000000001C44C000-memory.dmp

memory/1012-40-0x000000001C450000-0x000000001C458000-memory.dmp

memory/1012-41-0x000000001C460000-0x000000001C46C000-memory.dmp

memory/1012-42-0x000000001C470000-0x000000001C47C000-memory.dmp

memory/1012-43-0x000000001C480000-0x000000001C488000-memory.dmp

memory/1012-44-0x000000001C6A0000-0x000000001C6AC000-memory.dmp

memory/1012-45-0x000000001C6B0000-0x000000001C6BA000-memory.dmp

memory/1012-46-0x000000001C6C0000-0x000000001C6CE000-memory.dmp

memory/1012-47-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

memory/1012-48-0x000000001C6E0000-0x000000001C6EE000-memory.dmp

memory/1012-49-0x000000001C6F0000-0x000000001C6F8000-memory.dmp

memory/1012-50-0x000000001C700000-0x000000001C70C000-memory.dmp

memory/1012-51-0x000000001C710000-0x000000001C718000-memory.dmp

memory/1012-52-0x000000001C820000-0x000000001C82A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FYJQVhD8a8.bat

MD5 32f81aea9006bea6cb1a5d126cf15787
SHA1 1a82649f968deb656c39aeb6e93e4a125238cc70
SHA256 6be00242e62c03251c336a9c76774e6c72b23cc8e1cf72e196bd894262b4d52e
SHA512 357589860ed09c49fe4df8a874a22219dad012d89fe0b775f9f6e4ccd5628b2059a11549996791e9f4789264abb770f8ec0b3fbc11435fb76f422cb826c67627

C:\Users\Admin\AppData\Local\Temp\73e9bcbb-0c3a-45d0-92ab-0e2bc3fbb0fc.vbs

MD5 23407a95b742c9f1ba704c067ca8ffa4
SHA1 9c7d0273d80a33079ba78243c43c95ce19acdb2c
SHA256 7fab4928d4f76868eacc6d6ff946e20550ab030af17448668e2762a5d6429268
SHA512 497c3e3329edf9a6b7b60610e548f72acde3ef6a8d003c4c17c5773a8e5ee5b207ceaad3bd4f007855afc8f2dbdf1ecd2c448fa06767d6f8820d7eebad2ac235

C:\Users\Admin\AppData\Local\Temp\4f270df3-9232-4433-be85-6919e96bea0b.vbs

MD5 e9faf03e1737b1b4437a1534a274456e
SHA1 b8c5b8061adc0e33c24dc1f9805720168cf80348
SHA256 0a26607d929362016eab130f3f6abae585293a52f19697acd945e355cede51d9
SHA512 6aa752954c5ac864664d76a8184cb597b7097c87777f5e33d6dd6fe0daff7d7040dd3ec3ea1ae247222094249b6f872a71693f59cd7b37d5e866f5b8ae19cd08

memory/3528-79-0x000000001E2B0000-0x000000001E472000-memory.dmp