98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe
Size

2.7MB
MD5

2c686c1422614e57e79cbd65e232a84b
SHA1

f8e7b6e085aeb100391e8abe9b09d45adb9475f2
SHA256

98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc
SHA512

8df982612e9f0f22cbdddc045b027186075ddd8b7cd5a2f5f08296d1a2267f2f2cf93bce25dca4d429e14ba0f2155ea9c7b18cc1246880b9a20db3a96084103d
SSDEEP

49152:ZhZx4EhyIpSJOfOdoqt54pL7hCPFAYGpYhoF+fvITL0E1F3tn9PScTnrfyL3c:YEh/pSJOWqq4pL7QP9pS+fU/n3t9P5TT

Score

10^/10

execution spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2484	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
376	powershell.exe
1940	powershell.exe
1500	powershell.exe
888	powershell.exe
1992	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3060	One-armed robber Trainer Setup.exe
2076	DCRatBuild.exe
2880	bridgecrtDhcp.exe
2732	bridgecrtDhcp.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe
2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe
2076	DCRatBuild.exe
2076	DCRatBuild.exe
2072	cmd.exe
2072	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe	bridgecrtDhcp.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\de61578047efe9	bridgecrtDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2148	schtasks.exe
1864	schtasks.exe
572	schtasks.exe
1548	schtasks.exe
1048	schtasks.exe
2120	schtasks.exe
1356	schtasks.exe
2216	schtasks.exe
1604	schtasks.exe
2156	schtasks.exe
448	schtasks.exe
2372	schtasks.exe
2332	schtasks.exe
900	schtasks.exe
1556	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	One-armed robber Trainer Setup.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	One-armed robber Trainer Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	One-armed robber Trainer Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	One-armed robber Trainer Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	One-armed robber Trainer Setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2680	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe
2880	bridgecrtDhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	bridgecrtDhcp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	bridgecrtDhcp.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2732	bridgecrtDhcp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe
3060	One-armed robber Trainer Setup.exe
3060	One-armed robber Trainer Setup.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3060	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	28
PID 2188 wrote to memory of 3060	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	28
PID 2188 wrote to memory of 3060	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	28
PID 2188 wrote to memory of 3060	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	28
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2188 wrote to memory of 2076	2188	98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe	29
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2076 wrote to memory of 2636	2076	DCRatBuild.exe	30
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2636 wrote to memory of 2072	2636	WScript.exe	31
PID 2072 wrote to memory of 2880	2072	cmd.exe	33
PID 2072 wrote to memory of 2880	2072	cmd.exe	33
PID 2072 wrote to memory of 2880	2072	cmd.exe	33
PID 2072 wrote to memory of 2880	2072	cmd.exe	33
PID 2880 wrote to memory of 1992	2880	bridgecrtDhcp.exe	51
PID 2880 wrote to memory of 1992	2880	bridgecrtDhcp.exe	51
PID 2880 wrote to memory of 1992	2880	bridgecrtDhcp.exe	51
PID 2880 wrote to memory of 376	2880	bridgecrtDhcp.exe	52
PID 2880 wrote to memory of 376	2880	bridgecrtDhcp.exe	52
PID 2880 wrote to memory of 376	2880	bridgecrtDhcp.exe	52
PID 2880 wrote to memory of 888	2880	bridgecrtDhcp.exe	53
PID 2880 wrote to memory of 888	2880	bridgecrtDhcp.exe	53
PID 2880 wrote to memory of 888	2880	bridgecrtDhcp.exe	53
PID 2880 wrote to memory of 1500	2880	bridgecrtDhcp.exe	54
PID 2880 wrote to memory of 1500	2880	bridgecrtDhcp.exe	54
PID 2880 wrote to memory of 1500	2880	bridgecrtDhcp.exe	54
PID 2880 wrote to memory of 1940	2880	bridgecrtDhcp.exe	56
PID 2880 wrote to memory of 1940	2880	bridgecrtDhcp.exe	56
PID 2880 wrote to memory of 1940	2880	bridgecrtDhcp.exe	56
PID 2880 wrote to memory of 2648	2880	bridgecrtDhcp.exe	61
PID 2880 wrote to memory of 2648	2880	bridgecrtDhcp.exe	61
PID 2880 wrote to memory of 2648	2880	bridgecrtDhcp.exe	61
PID 2648 wrote to memory of 2640	2648	cmd.exe	63
PID 2648 wrote to memory of 2640	2648	cmd.exe	63
PID 2648 wrote to memory of 2640	2648	cmd.exe	63
PID 2648 wrote to memory of 2680	2648	cmd.exe	64
PID 2648 wrote to memory of 2680	2648	cmd.exe	64
PID 2648 wrote to memory of 2680	2648	cmd.exe	64
PID 2648 wrote to memory of 2732	2648	cmd.exe	65
PID 2648 wrote to memory of 2732	2648	cmd.exe	65
PID 2648 wrote to memory of 2732	2648	cmd.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe
"C:\Users\Admin\AppData\Local\Temp\98b5f226fc6e0427b72bf4b480d4ed126295f6c6dd213a0c748c5dc20e9fc1cc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\One-armed robber Trainer Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\One-armed robber Trainer Setup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\chainPortcomponentNetcommon\HRz21gsVfS3k970fjBuxO8NeefdVQTjBTDGcu6y2gce.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\chainPortcomponentNetcommon\iRoKpcItlVTdDjaiwuXVY8.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\chainPortcomponentNetcommon\bridgecrtDhcp.exe
        
        "C:\chainPortcomponentNetcommon/bridgecrtDhcp.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\bridgecrtDhcp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIZFouDyuY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2680
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcpb" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\bridgecrtDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcp" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\bridgecrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcpb" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\bridgecrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcpb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecrtDhcpb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\bridgecrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab24B2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24C5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIZFouDyuY.bat

Filesize
219B

MD5
61c8b60a1f18998c999d9e1de65ca03e

SHA1
916bee09c202d641c91137b03039ad891b372628

SHA256
0f43349cf33ceb43783c150f6766ed3987ed32f7e675778a461a4a70e60808b6

SHA512
a4b0de4c8a699c706edf5a879835bf964f58233f9048a3abb97bc3463fcebb7d932549db138afb5c6c543035f236dfc443c4ccf9d1db93da18322d544dc370a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a896c35c5e307ff07da29431450c121

SHA1
26b5d81a3d0e63ddba3905596440fcc60102a474

SHA256
2e0e4c62d615ce53d18773c6e1388d7e5d406a7cb1fd375d260eba43d129b9fc

SHA512
d661db2da6b609bb2c2f98ac1543cf08ad14ef4b9a702c449791c372e902da27773a5a549a4a8655b017232033e801c2b398d36127f32649b2190b1596c6065d

Download Submit
C:\chainPortcomponentNetcommon\HRz21gsVfS3k970fjBuxO8NeefdVQTjBTDGcu6y2gce.vbe

Filesize
227B

MD5
b2ba6b96fcc115f07c151e8baf2588d8

SHA1
d54e1ab249963c7056636b9cca55f9860576b16e

SHA256
979d3c9114c02333ccb84a67121b103962d914bcb89fced722549145a8efa7a3

SHA512
71d3f120965d325b8c7835ad83adfa6ff710174156f80123bb3fd0bc428b9833af5a91e32ddfdc2845e6a7841f2ca0110eac5be8eafb848d7da37ddd52a6aaf7

Download Submit
C:\chainPortcomponentNetcommon\iRoKpcItlVTdDjaiwuXVY8.bat

Filesize
100B

MD5
99b9afc776b491c9e6348dc50a202b52

SHA1
e79b65c1f7c84a9d8c5070c81896f9410b0c5560

SHA256
5496ec8ef1b936c882d35cc8260193d092e94afbbcd93a568a8c1fdacebc071a

SHA512
6240c0ec373ea6c6389baf660e5675195d3b919a13dc630fe0a60af2d7a7da189397a8a72621a84bf737f5fb315d709e0eff8d8e10acbd5d2af957f7e97139e4

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.9MB

MD5
97127e965a9e01f9a885ac89800d2ba3

SHA1
1c6ce7fcb953ef274e867c98466d40c9c650dc77

SHA256
551106734af6b6c8cf02413290249dcc6a60da4abee4073c64c78ae146b278b9

SHA512
0cd64c6dd5e72c88dd89f1681382a2c3a7083ed2ad32bd17d6d2b4246b6ad2fd6a5fddfe97cfcd5a34751a091bdd7a5874014f7383711db96cf266df08e88e17

Download Submit
\Users\Admin\AppData\Local\Temp\One-armed robber Trainer Setup.exe

Filesize
141KB

MD5
6edf57a71a99a5269960e506f174ac46

SHA1
94f8537ac414a93c945c58730a1072ef0554ad49

SHA256
24a9460ca1ead06aed72d5d93b239c9becef870fb2da9889794ffe86a23d3bb7

SHA512
1475a9a1907e084c1a1d9e94cdcdf27a0bc6ad4da73189ee5c9b9a6105ea3e98653008cefde62e4c391c923149c7e0c33da34c2347231b3c3a4f14b93878147f

Download Submit
\chainPortcomponentNetcommon\bridgecrtDhcp.exe

Filesize
2.5MB

MD5
eb2d5bec4f392dd5222ca5d4ab4cd4de

SHA1
6d5c5facc9f4ccd1df144876d47fc08d47dd4757

SHA256
994eb96669624a4bc0445f0caa907eae5b54b89d51d727ea5847e43a080779e3

SHA512
b3373e4bdd0dc2a04f0271355caa61cbdae336bec7b770a6240eae4bb5224fb5cb5fbd63907481d84cc629dd4a05c62817ac8a4a7fbe796e2bd58cb69a8e5e5b

Download Submit
memory/376-198-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/1992-199-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2188-18-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2188-1-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2188-4-0x0000000000994000-0x0000000000A78000-memory.dmp

Filesize
912KB

Download
memory/2188-2-0x00000000013D0000-0x0000000001A48000-memory.dmp

Filesize
6.5MB

Download
memory/2188-3-0x00000000013D0000-0x0000000001A48000-memory.dmp

Filesize
6.5MB

Download
memory/2732-213-0x0000000000930000-0x0000000000BC2000-memory.dmp

Filesize
2.6MB

Download
memory/2880-155-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2880-167-0x000000001AA20000-0x000000001AA2C000-memory.dmp

Filesize
48KB

Download
memory/2880-114-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2880-116-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2880-119-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2880-82-0x0000000000BC0000-0x0000000000E52000-memory.dmp

Filesize
2.6MB

Download
memory/2880-121-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2880-125-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/2880-94-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/2880-141-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/2880-143-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2880-145-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/2880-147-0x000000001A9C0000-0x000000001A9D6000-memory.dmp

Filesize
88KB

Download
memory/2880-149-0x000000001A9E0000-0x000000001A9F2000-memory.dmp

Filesize
72KB

Download
memory/2880-151-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2880-153-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2880-104-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2880-157-0x000000001B150000-0x000000001B1AA000-memory.dmp

Filesize
360KB

Download
memory/2880-159-0x00000000023B0000-0x00000000023BE000-memory.dmp

Filesize
56KB

Download
memory/2880-161-0x000000001AA00000-0x000000001AA10000-memory.dmp

Filesize
64KB

Download
memory/2880-163-0x000000001AA10000-0x000000001AA1E000-memory.dmp

Filesize
56KB

Download
memory/2880-165-0x000000001B0F0000-0x000000001B108000-memory.dmp

Filesize
96KB

Download
memory/2880-110-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

Filesize
96KB

Download
memory/2880-169-0x000000001B200000-0x000000001B24E000-memory.dmp

Filesize
312KB

Download
memory/2880-100-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download
memory/2880-96-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/3060-132-0x000007FFFFEB0000-0x000007FFFFEC0000-memory.dmp

Filesize
64KB

Download
memory/3060-117-0x00000000226F0000-0x0000000022E96000-memory.dmp

Filesize
7.6MB

Download
memory/3060-17-0x0000000000C20000-0x0000000000C46000-memory.dmp

Filesize
152KB

Download