dcrat | 5ca78ff214c4c4c564bd3b6a23de1f6b5288d2b73473263c3fe53be7b2fe00a4

General

Target

run.exe
Size

1.1MB
MD5

b96afb3d55ec0f35c33a10eeaac8a895
SHA1

87af52aa9415b8701382bdd28fa780167c8da39a
SHA256

5ca78ff214c4c4c564bd3b6a23de1f6b5288d2b73473263c3fe53be7b2fe00a4
SHA512

b4f773a7bcd4353517bcfe73bd9a8a42cf4bd0c5e96d161b8c111fdbfc9ad368aed903eb0ba4e7e7aa4d2f9d662d86b43f0d061685b47392fa631d195d1a89fe
SSDEEP

24576:u2G/nvxW3WieCGvNNDBasL+tjITsX3kJ2VQVBu6fK9:ubA3j7sLLMW4

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2668	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2668	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\BridgemscomPerf\Blockdriversaves.exe	dcrat
behavioral1/memory/2644-13-0x0000000000040000-0x0000000000116000-memory.dmp	dcrat
behavioral1/memory/3004-48-0x00000000012C0000-0x0000000001396000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Blockdriversaves.exeSystem.exe

pid process

2644 Blockdriversaves.exe
3004 System.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2732 cmd.exe
2732 cmd.exe

pid	process
2732	cmd.exe
2732	cmd.exe

Drops file in Program Files directory 12 IoCs

Processes:

Blockdriversaves.exe

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	Blockdriversaves.exe
File created	C:\Program Files\Windows Sidebar\101b941d020240	Blockdriversaves.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	Blockdriversaves.exe
File created	C:\Program Files\Java\jre7\lib\lsass.exe	Blockdriversaves.exe
File created	C:\Program Files\DVD Maker\csrss.exe	Blockdriversaves.exe
File created	C:\Program Files\DVD Maker\886983d96e3d3e	Blockdriversaves.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	Blockdriversaves.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240	Blockdriversaves.exe
File created	C:\Program Files\Java\jre7\lib\6203df4a6bafc7	Blockdriversaves.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe	Blockdriversaves.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\cc11b995f2a76d	Blockdriversaves.exe
File created	C:\Program Files\Windows Sidebar\lsm.exe	Blockdriversaves.exe

Drops file in Windows directory 6 IoCs

Processes:

Blockdriversaves.exe

description	ioc	process
File created	C:\Windows\Branding\088424020bedd6	Blockdriversaves.exe
File created	C:\Windows\DigitalLocker\ja-JP\Blockdriversaves.exe	Blockdriversaves.exe
File created	C:\Windows\DigitalLocker\ja-JP\5fad7d1b4528a9	Blockdriversaves.exe
File created	C:\Windows\Fonts\System.exe	Blockdriversaves.exe
File created	C:\Windows\Fonts\27d1bcfc3c54e0	Blockdriversaves.exe
File created	C:\Windows\Branding\conhost.exe	Blockdriversaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

run.exeWScript.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1392 reg.exe

pid	process
1392	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2728	schtasks.exe
536	schtasks.exe
1000	schtasks.exe
2804	schtasks.exe
2528	schtasks.exe
1236	schtasks.exe
1148	schtasks.exe
2548	schtasks.exe
2020	schtasks.exe
852	schtasks.exe
1136	schtasks.exe
992	schtasks.exe
1880	schtasks.exe
884	schtasks.exe
1600	schtasks.exe
1552	schtasks.exe
1156	schtasks.exe
2128	schtasks.exe
800	schtasks.exe
1188	schtasks.exe
2764	schtasks.exe
1052	schtasks.exe
2184	schtasks.exe
2120	schtasks.exe
1344	schtasks.exe
2600	schtasks.exe
1912	schtasks.exe
1400	schtasks.exe
2380	schtasks.exe
1060	schtasks.exe
2608	schtasks.exe
2656	schtasks.exe
2588	schtasks.exe
860	schtasks.exe
2132	schtasks.exe
2508	schtasks.exe
584	schtasks.exe
840	schtasks.exe
2148	schtasks.exe
2860	schtasks.exe
1520	schtasks.exe
924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Blockdriversaves.exeSystem.exe

pid	process
2644	Blockdriversaves.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe
3004	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

System.exe

pid process

3004 System.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Blockdriversaves.exeSystem.exe

description pid process

Token: SeDebugPrivilege 2644 Blockdriversaves.exe
Token: SeDebugPrivilege 3004 System.exe

pid	process
3004	System.exe

description	pid	process
Token: SeDebugPrivilege	2644	Blockdriversaves.exe
Token: SeDebugPrivilege	3004	System.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

run.exeWScript.execmd.exeBlockdriversaves.exe

description	pid	process	target process
PID 2144 wrote to memory of 2328	2144	run.exe	WScript.exe
PID 2144 wrote to memory of 2328	2144	run.exe	WScript.exe
PID 2144 wrote to memory of 2328	2144	run.exe	WScript.exe
PID 2144 wrote to memory of 2328	2144	run.exe	WScript.exe
PID 2328 wrote to memory of 2732	2328	WScript.exe	cmd.exe
PID 2328 wrote to memory of 2732	2328	WScript.exe	cmd.exe
PID 2328 wrote to memory of 2732	2328	WScript.exe	cmd.exe
PID 2328 wrote to memory of 2732	2328	WScript.exe	cmd.exe
PID 2732 wrote to memory of 2644	2732	cmd.exe	Blockdriversaves.exe
PID 2732 wrote to memory of 2644	2732	cmd.exe	Blockdriversaves.exe
PID 2732 wrote to memory of 2644	2732	cmd.exe	Blockdriversaves.exe
PID 2732 wrote to memory of 2644	2732	cmd.exe	Blockdriversaves.exe
PID 2644 wrote to memory of 3004	2644	Blockdriversaves.exe	System.exe
PID 2644 wrote to memory of 3004	2644	Blockdriversaves.exe	System.exe
PID 2644 wrote to memory of 3004	2644	Blockdriversaves.exe	System.exe
PID 2732 wrote to memory of 1392	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 1392	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 1392	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 1392	2732	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\run.exe
"C:\Users\Admin\AppData\Local\Temp\run.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BridgemscomPerf\22mOx.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\BridgemscomPerf\hCjNvYF2QXUwTtkmCSErLzMKf.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732

C:\BridgemscomPerf\Blockdriversaves.exe
"C:\BridgemscomPerf\Blockdriversaves.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Fonts\System.exe
"C:\Windows\Fonts\System.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Branding\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockdriversavesB" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\ja-JP\Blockdriversaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Blockdriversaves" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\Blockdriversaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockdriversavesB" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\ja-JP\Blockdriversaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\BridgemscomPerf\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\BridgemscomPerf\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\BridgemscomPerf\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\BridgemscomPerf\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BridgemscomPerf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\BridgemscomPerf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\lib\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgemscomPerf\22mOx.vbe

Filesize
228B

MD5
318875a0ce065b25bb429d597ec51aaa

SHA1
5ccdc609ea74de5dc74b3bc607bda1117e59a844

SHA256
9290db81153869345a64a7072293ab67a7e732e5bb3e29b07d4dc94337089fbb

SHA512
300b820eef396fbbd5d18eb1b7c239ff0120452c336618566c89b2699f361a932f36a653b36f1605a6423809c0280d5bb811a3b22fd24d1851566c13d45cdb40

Download Submit
C:\BridgemscomPerf\hCjNvYF2QXUwTtkmCSErLzMKf.bat

Filesize
164B

MD5
a4440e6c07a95c68ca3452151df80c2c

SHA1
6244fda1eb5f240f4fd0167d5b3504e229d1c811

SHA256
4d16cdab29ae5e312adc69ec1e895ffd547fdb260afc521e768bf1d3c8335cf2

SHA512
6814198a7e41a7296a34dc7b03eb96e6e0b7d92599b1140b2bd9670c6a8b4f5a46b59d75ce30315fd603216f843080b2086d90017baaf4bf2c9672bd76a195aa

Download Submit
\BridgemscomPerf\Blockdriversaves.exe

Filesize
828KB

MD5
9a407aa5b6a9223671a327fbf4ba86fc

SHA1
25dfd2e7d8c9482ad7eb44ce8ba7e9d8377f2cc9

SHA256
87ebe4ff51d69ec7a90696761abf94f3f3a8dee4e27efd87aa8ab98fb952bc74

SHA512
6c983963a1ec5ee0273b20b50ecb5cd13307141c2857406c16d4bed1e2a3a8cd7b86eab3a0de7f161d5d5dfb8267e7026995068d5295db539902450f173d185a

Download Submit
memory/2644-13-0x0000000000040000-0x0000000000116000-memory.dmp

Filesize
856KB

Download
memory/3004-48-0x00000000012C0000-0x0000000001396000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads