Malware Analysis Report

2024-10-10 13:05

Sample ID 240618-z9r2ta1dqk
Target Gamesense.rar
SHA256 7260ccf8becf9a3be8da0d1f04bccf0ac289e4cba63b2932c51cccec68cff542
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7260ccf8becf9a3be8da0d1f04bccf0ac289e4cba63b2932c51cccec68cff542

Threat Level: Known bad

The file Gamesense.rar was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 21:25

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 21:25

Reported

2024-06-18 21:26

Platform

win10-20240404-en

Max time kernel

59s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gamesense.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\unsecapp.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\29c1c3cc0f7685 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\886983d96e3d3e C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Common Files\explorer.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Common Files\7a0fd90576e088 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\ea9f0e6c9e2dcd C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\ea9f0e6c9e2dcd C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhostw.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\sppsvc.exe C:\bridgeFont\Blockdriverhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\fontdrvhost.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Windows\Speech\Engines\TTS\explorer.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Windows\Speech\Engines\TTS\7a0fd90576e088 C:\bridgeFont\Blockdriverhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gamesense.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\bridgeFont\Blockdriverhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Recovery\WindowsRE\dllhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeFont\Blockdriverhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dllhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 4516 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 4228 wrote to memory of 2616 N/A C:\bridgeFont\Blockdriverhost.exe C:\Windows\System32\cmd.exe
PID 4228 wrote to memory of 2616 N/A C:\bridgeFont\Blockdriverhost.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 976 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dllhost.exe
PID 2616 wrote to memory of 976 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dllhost.exe
PID 976 wrote to memory of 1556 N/A C:\Recovery\WindowsRE\dllhost.exe C:\Windows\System32\WScript.exe
PID 976 wrote to memory of 1556 N/A C:\Recovery\WindowsRE\dllhost.exe C:\Windows\System32\WScript.exe
PID 976 wrote to memory of 1056 N/A C:\Recovery\WindowsRE\dllhost.exe C:\Windows\System32\WScript.exe
PID 976 wrote to memory of 1056 N/A C:\Recovery\WindowsRE\dllhost.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Gamesense.exe

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "

C:\bridgeFont\Blockdriverhost.exe

"C:\bridgeFont\Blockdriverhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\TTS\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\TTS\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ZmWlwbg6n.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\dllhost.exe

"C:\Recovery\WindowsRE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54c1d699-f544-4f51-a1f9-3b0e65cb3e26.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9c519c0-8408-4c2e-aa68-00ce2838e6f3.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996585.xsph.ru udp
RU 141.8.192.103:80 a0996585.xsph.ru tcp
RU 141.8.192.103:80 a0996585.xsph.ru tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp

Files

C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe

MD5 f834877689aa9f2dbd0d2084bb779fb4
SHA1 5bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67
SHA256 21f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768
SHA512 abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034

C:\bridgeFont\A6eEKUh9zDmgALE.bat

MD5 a254cc5bfb66a33ccdee83d23ff8d10b
SHA1 40461cbacf4b71e94dd321fc30d7d69febd1e8ee
SHA256 f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87
SHA512 f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e

C:\bridgeFont\Blockdriverhost.exe

MD5 4021df69fad7e54ef1154a5322b1eece
SHA1 ece1a3140a5a394c4a57f110609b9d494e6f59f5
SHA256 3bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
SHA512 0e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4

memory/4228-14-0x00000000009D0000-0x0000000000BFE000-memory.dmp

memory/4228-15-0x0000000002CD0000-0x0000000002CD8000-memory.dmp

memory/4228-16-0x0000000002E70000-0x0000000002EC6000-memory.dmp

memory/4228-17-0x0000000002CE0000-0x0000000002CEC000-memory.dmp

memory/4228-18-0x0000000002CF0000-0x0000000002CFC000-memory.dmp

memory/4228-19-0x0000000002D00000-0x0000000002D12000-memory.dmp

memory/4228-20-0x000000001C430000-0x000000001C956000-memory.dmp

memory/4228-21-0x0000000002D40000-0x0000000002D4C000-memory.dmp

memory/4228-22-0x0000000002EE0000-0x0000000002EEA000-memory.dmp

memory/4228-24-0x0000000002D50000-0x0000000002D5C000-memory.dmp

memory/4228-23-0x0000000002EF0000-0x0000000002EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZmWlwbg6n.bat

MD5 ecba410ae4df4e10770b5e4120f711c6
SHA1 d4c4946d2564afeacf26a75308f27a0e149b1a79
SHA256 91307e6bdff77d73a4ee42f33ac84a242126137cee8d21a3b234882bcab932ba
SHA512 25719947c1ceda64c698469e0f80371b324751109509d1ed85baa9d47d3e4d3dc8e209c7df41765cc0fd0c62c4bd5e7df0de9ac672e0bc924223a2f486bfcb94

memory/976-68-0x000000001B2B0000-0x000000001B2C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9c519c0-8408-4c2e-aa68-00ce2838e6f3.vbs

MD5 94f839c8f679d90fe51bfa2b8bc0d818
SHA1 116462e751fa8e9f4aaaba57e348bc1c3589f49c
SHA256 8e9d51a7772a2811e72f92ed6939db7c008b19328d84fc839b7c9fad655de3d6
SHA512 07f6e829fe122568d85e4f9a8aaf70bdc195c256489812f571df259c63c40753fc168e79f695994683745bf4cf80449c1cd60a6719321ad3fca1bacc24944ef9

C:\Users\Admin\AppData\Local\Temp\54c1d699-f544-4f51-a1f9-3b0e65cb3e26.vbs

MD5 482b9abab07c3b8bd4da33ec9a55c257
SHA1 b24a2fa4b1b0d42118dca769f5f52b73b5438afa
SHA256 be54b6ebfda698f9d11f41bf6a23c52d79b72d2fda25b53f5f153b836e9fdf04
SHA512 005aab1394e203e59d8aace20c27ccd9623c75c3cadb1411a0dbbe4e5bdc0ba0ec934e5336b39384d5b325a1c3b3739f79fd9482705bcb5dc00e0bfe49496444

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 21:25

Reported

2024-06-18 21:26

Platform

win10v2004-20240508-en

Max time kernel

59s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Gamesense.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\bridgeFont\Blockdriverhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\INF\unsecapp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\Blockdriverhost.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\77175f6b6aad57 C:\bridgeFont\Blockdriverhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\unsecapp.exe C:\bridgeFont\Blockdriverhost.exe N/A
File opened for modification C:\Windows\INF\unsecapp.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Windows\INF\29c1c3cc0f7685 C:\bridgeFont\Blockdriverhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\bridgeFont\Blockdriverhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\INF\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gamesense.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A
N/A N/A C:\Windows\INF\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeFont\Blockdriverhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\unsecapp.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 4076 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 4076 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 4808 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 1968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 2836 wrote to memory of 4552 N/A C:\bridgeFont\Blockdriverhost.exe C:\Windows\System32\cmd.exe
PID 2836 wrote to memory of 4552 N/A C:\bridgeFont\Blockdriverhost.exe C:\Windows\System32\cmd.exe
PID 4552 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4552 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4552 wrote to memory of 4152 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\unsecapp.exe
PID 4552 wrote to memory of 4152 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\unsecapp.exe
PID 4152 wrote to memory of 2404 N/A C:\Windows\INF\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 2404 N/A C:\Windows\INF\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 2876 N/A C:\Windows\INF\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 2876 N/A C:\Windows\INF\unsecapp.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Gamesense.exe

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "

C:\bridgeFont\Blockdriverhost.exe

"C:\bridgeFont\Blockdriverhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\INF\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Blockdriverhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Blockdriverhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Blockdriverhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Blockdriverhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybNdu8nRH2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\unsecapp.exe

"C:\Windows\INF\unsecapp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621b9b88-613e-401d-a2fa-11f7376398b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4351ec9a-1b22-4edd-b562-e8d946bfadfb.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 a0996585.xsph.ru udp
RU 141.8.192.103:80 a0996585.xsph.ru tcp
RU 141.8.192.103:80 a0996585.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp

Files

C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe

MD5 f834877689aa9f2dbd0d2084bb779fb4
SHA1 5bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67
SHA256 21f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768
SHA512 abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034

C:\bridgeFont\A6eEKUh9zDmgALE.bat

MD5 a254cc5bfb66a33ccdee83d23ff8d10b
SHA1 40461cbacf4b71e94dd321fc30d7d69febd1e8ee
SHA256 f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87
SHA512 f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e

C:\bridgeFont\Blockdriverhost.exe

MD5 4021df69fad7e54ef1154a5322b1eece
SHA1 ece1a3140a5a394c4a57f110609b9d494e6f59f5
SHA256 3bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
SHA512 0e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4

memory/2836-13-0x00000000004B0000-0x00000000006DE000-memory.dmp

memory/2836-12-0x00007FF962823000-0x00007FF962825000-memory.dmp

memory/2836-15-0x000000001B340000-0x000000001B396000-memory.dmp

memory/2836-14-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/2836-18-0x0000000001030000-0x0000000001042000-memory.dmp

memory/2836-17-0x0000000001010000-0x000000000101C000-memory.dmp

memory/2836-16-0x0000000001000000-0x000000000100C000-memory.dmp

memory/2836-19-0x000000001BF20000-0x000000001C448000-memory.dmp

memory/2836-23-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

memory/2836-22-0x000000001B390000-0x000000001B398000-memory.dmp

memory/2836-21-0x000000001BC20000-0x000000001BC2A000-memory.dmp

memory/2836-20-0x0000000001060000-0x000000000106C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ybNdu8nRH2.bat

MD5 b84c4da501c8b26ebf007d8efe03f844
SHA1 4ed71b028b4789c534f8b6f0f2dd78e6ab400fee
SHA256 a24f7207a5478c10481f71f90bbc161f7b252ebca314dc2e2ad5c54dedc9a704
SHA512 3a32ba94ce7500d4e2d9a329e6336bd570c3841b1694508ad737a8f4879e6d8cfc4bac4414a85a6fcf33ca03a48b7592b8a63f7478da812f3fb89480592bf138

memory/4152-37-0x000000001AEA0000-0x000000001AEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\621b9b88-613e-401d-a2fa-11f7376398b4.vbs

MD5 9c801bc29c153d78400760679192d4c1
SHA1 b1e9ca4a971e1a3ec02b01db3f7e3ad5a98b0631
SHA256 324d51a0bd9845ce281c9d6144485976f5829b71e1a93a9290c806cb0cf81a8e
SHA512 149b64f2a79fd90b99cbc15c9cfc323d7f9043e31d59a2062a81f95006d15fad5503e53ef6fcce8f46f72c06477c28209dcb7bc33c0213aa62d65ed73c2d515b

C:\Users\Admin\AppData\Local\Temp\4351ec9a-1b22-4edd-b562-e8d946bfadfb.vbs

MD5 6fbce5de6902ce073f6b627d73a70536
SHA1 bbacaf083665ca74c3c101fa41b7137dafb41d6b
SHA256 f8e0713304f0091611350671350eb08f1744b988cfc40e530f3e281865cc56ea
SHA512 6f70d810412a885b5b4803e9db5c172796e0e90cc3292ed4ecadc87d2ba76a27d26fd560e70a5d980a175136b80609e0da6c1da973b2b2307385c37610164413

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 21:25

Reported

2024-06-18 21:26

Platform

win11-20240508-en

Max time kernel

59s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\69ddcba757bf72 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files\Mozilla Firefox\services.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files\Mozilla Firefox\c5b4cb5e9653cc C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Internet Explorer\dllhost.exe C:\bridgeFont\Blockdriverhost.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\dllhost.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Internet Explorer\5940a34987c991 C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Program Files (x86)\Internet Explorer\smss.exe C:\bridgeFont\Blockdriverhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\wininit.exe C:\bridgeFont\Blockdriverhost.exe N/A
File created C:\Windows\Vss\56085415360792 C:\bridgeFont\Blockdriverhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gamesense.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\bridgeFont\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\bridgeFont\unsecapp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\Blockdriverhost.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A
N/A N/A C:\bridgeFont\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeFont\Blockdriverhost.exe N/A
Token: SeDebugPrivilege N/A C:\bridgeFont\Blockdriverhost.exe N/A
Token: SeDebugPrivilege N/A C:\bridgeFont\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\bridgeFont\unsecapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 564 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 564 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Gamesense.exe C:\Windows\SysWOW64\WScript.exe
PID 1164 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 2204 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeFont\Blockdriverhost.exe
PID 4360 wrote to memory of 4432 N/A C:\bridgeFont\Blockdriverhost.exe C:\bridgeFont\Blockdriverhost.exe
PID 4360 wrote to memory of 4432 N/A C:\bridgeFont\Blockdriverhost.exe C:\bridgeFont\Blockdriverhost.exe
PID 4432 wrote to memory of 1696 N/A C:\bridgeFont\Blockdriverhost.exe C:\bridgeFont\unsecapp.exe
PID 4432 wrote to memory of 1696 N/A C:\bridgeFont\Blockdriverhost.exe C:\bridgeFont\unsecapp.exe
PID 1696 wrote to memory of 4764 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 4764 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 3576 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 3576 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4764 wrote to memory of 3392 N/A C:\Windows\System32\WScript.exe C:\bridgeFont\unsecapp.exe
PID 4764 wrote to memory of 3392 N/A C:\Windows\System32\WScript.exe C:\bridgeFont\unsecapp.exe
PID 3392 wrote to memory of 3356 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 3392 wrote to memory of 3356 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 3392 wrote to memory of 3084 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe
PID 3392 wrote to memory of 3084 N/A C:\bridgeFont\unsecapp.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Gamesense.exe

"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "

C:\bridgeFont\Blockdriverhost.exe

"C:\bridgeFont\Blockdriverhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\wininit.exe'" /rl HIGHEST /f

C:\bridgeFont\Blockdriverhost.exe

"C:\bridgeFont\Blockdriverhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\bridgeFont\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\bridgeFont\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\bridgeFont\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f

C:\bridgeFont\unsecapp.exe

"C:\bridgeFont\unsecapp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e22ac63-b0eb-4bb0-949d-c7ae67f51646.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d92b5ac4-6317-48de-b805-e8a05c118a1a.vbs"

C:\bridgeFont\unsecapp.exe

C:\bridgeFont\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be8dd48b-3ff2-4542-b12e-e564ae6a203b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f655023-3e2f-41ad-bb46-bfa15e966bcc.vbs"

C:\bridgeFont\unsecapp.exe

C:\bridgeFont\unsecapp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996585.xsph.ru udp
US 8.8.8.8:53 a0996585.xsph.ru udp
US 8.8.8.8:53 a0996585.xsph.ru udp
US 8.8.8.8:53 a0996585.xsph.ru udp

Files

C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe

MD5 f834877689aa9f2dbd0d2084bb779fb4
SHA1 5bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67
SHA256 21f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768
SHA512 abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034

C:\bridgeFont\A6eEKUh9zDmgALE.bat

MD5 a254cc5bfb66a33ccdee83d23ff8d10b
SHA1 40461cbacf4b71e94dd321fc30d7d69febd1e8ee
SHA256 f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87
SHA512 f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e

C:\bridgeFont\Blockdriverhost.exe

MD5 4021df69fad7e54ef1154a5322b1eece
SHA1 ece1a3140a5a394c4a57f110609b9d494e6f59f5
SHA256 3bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
SHA512 0e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4

memory/4360-13-0x0000000000FC0000-0x00000000011EE000-memory.dmp

memory/4360-12-0x00007FFD2CCF3000-0x00007FFD2CCF5000-memory.dmp

memory/4360-15-0x000000001C4D0000-0x000000001C526000-memory.dmp

memory/4360-14-0x00000000033E0000-0x00000000033E8000-memory.dmp

memory/4360-16-0x00000000033F0000-0x00000000033FC000-memory.dmp

memory/4360-17-0x0000000003410000-0x000000000341C000-memory.dmp

memory/4360-18-0x0000000003420000-0x0000000003432000-memory.dmp

memory/4360-19-0x000000001CA50000-0x000000001CF78000-memory.dmp

memory/4360-20-0x000000001C520000-0x000000001C52C000-memory.dmp

memory/4360-23-0x000000001C750000-0x000000001C75C000-memory.dmp

memory/4360-22-0x000000001C740000-0x000000001C748000-memory.dmp

memory/4360-21-0x000000001C730000-0x000000001C73A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Blockdriverhost.exe.log

MD5 097f3042534fee826a3236a29e06e8dd
SHA1 6cb2a44fb3c1e28dfcfcc4a30cf9933928e3ae5e
SHA256 4780c943d0d1993a8074df6981cfc969ce8cb06a53538db923c7b1ab3bc4a2ba
SHA512 4c0265cf8fbcfe67586f7b100de09737fa34d3ac96a41bd85a57862a2eb8355e460d088f350da7d4391c06a7a6bc9b1e4dc7acdfa11a0e553f49f388fb253b3c

memory/4432-35-0x0000000002850000-0x0000000002862000-memory.dmp

memory/1696-54-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4e22ac63-b0eb-4bb0-949d-c7ae67f51646.vbs

MD5 2c34b98bb0fb96bc2d24d4c2d0b9400b
SHA1 44957494d94a101b88d7468e14661a9e1b1cc838
SHA256 a63aafcd2813a468ccac9702c8e20db526f21a5560a5bd8db6dc2cdd4df11e38
SHA512 b6422fdbd77fc08081c79c77c2b34b722e5aa568a58c7af11042219381d40f80d42e971e9d8800d515703dc45120cee29cb2b0eca23245822eabd93676e33814

C:\Users\Admin\AppData\Local\Temp\d92b5ac4-6317-48de-b805-e8a05c118a1a.vbs

MD5 49d263c97c8112b243b3f032bf45eeb8
SHA1 bbfea32e95115c5a35c138ac4322704a48ea9a3e
SHA256 30ba0338282298dbf76eefcd84cb5180d47c2a3511bd51246f16f80289bf7772
SHA512 845572b4afb15838d2583b5c814fed7a9632b27eae2de56b06c8d2dbdadb8bfb99ae98b56c18c6e678aac3f7a5b5d3edd86aa2f22bbacbf3020213e896d82b69

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

MD5 46fa6f086fb2f02d6e23fd7efe36fb38
SHA1 f8d47a6989d7a616a765bc384477e2baf51142e3
SHA256 de45a5b562e815b4938330ad5d90d9910d4a29eeaeeab01c5477623ffe580ca9
SHA512 d4becd7f1eaef86c49c5e9bd2dd7969422ba4cd6df10205ce0de35a74257be813b4abe04aa10f6a11b42b37d0ffe23e5bcbb47463ac5040af07211d7aa94237a

C:\Users\Admin\AppData\Local\Temp\be8dd48b-3ff2-4542-b12e-e564ae6a203b.vbs

MD5 f958b22e072d5a0f6962b6e2e38e7ec9
SHA1 080ed5b48c1aec9c02025d27b4b5de97fef7752e
SHA256 49e2859d6ca3c818d845746a5f2d6a6f7d9a8fcb1bda9f7aff25b33551bd6b9b
SHA512 2bff5c110c7c00414838c2b126730cff3c23fc28196813b89dc681a328773057e33436a492eb72b01f7fdeac7e36dcb944e5b552ed7b86d2b260d54fe2d2847f