dcrat | 3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb

Analysis

max time kernel
118s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059DD6A8CB2D31871BB82DBB158965FA.exe
Size

1.9MB
MD5

059dd6a8cb2d31871bb82dbb158965fa
SHA1

10507debf7b1a88791b65fc08a5b995f9b873aee
SHA256

3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb
SHA512

3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e
SSDEEP

24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Bridgecommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\", \"C:\\Windows\\ja-JP\\lsm.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\", \"C:\\Windows\\ja-JP\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\", \"C:\\Windows\\ja-JP\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\winlogon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\", \"C:\\Windows\\ja-JP\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\winlogon.exe\", \"C:\\hyperContaineragent\\csrss.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\", \"C:\\Windows\\ja-JP\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\winlogon.exe\", \"C:\\hyperContaineragent\\csrss.exe\", \"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\""	Bridgecommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2808	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
348	powershell.exe
1140	powershell.exe
900	powershell.exe
984	powershell.exe
2408	powershell.exe
1412	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

Bridgecommon.exewinlogon.exe

pid	Process
2728	Bridgecommon.exe
1656	winlogon.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2300	cmd.exe
2300	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bridgecommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hyperContaineragent\\csrss.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\ja-JP\\lsm.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\winlogon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\winlogon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\explorer.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\ja-JP\\lsm.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hyperContaineragent\\csrss.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe
File created	\??\c:\Windows\System32\CSC10D7AD024B1A4543ACFF25D8D47A68C.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

Bridgecommon.exe

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dllhost.exe	Bridgecommon.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	Bridgecommon.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe	Bridgecommon.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\cc11b995f2a76d	Bridgecommon.exe

Drops file in Windows directory 2 IoCs

Processes:

Bridgecommon.exe

description	ioc	Process
File created	C:\Windows\ja-JP\101b941d020240	Bridgecommon.exe
File created	C:\Windows\ja-JP\lsm.exe	Bridgecommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

059DD6A8CB2D31871BB82DBB158965FA.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	059DD6A8CB2D31871BB82DBB158965FA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1244	schtasks.exe
2288	schtasks.exe
2784	schtasks.exe
1492	schtasks.exe
1540	schtasks.exe
1572	schtasks.exe
2868	schtasks.exe
1148	schtasks.exe
820	schtasks.exe
1888	schtasks.exe
2920	schtasks.exe
2716	schtasks.exe
2616	schtasks.exe
2668	schtasks.exe
1736	schtasks.exe
1548	schtasks.exe
356	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Bridgecommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

pid	Process
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2728	Bridgecommon.exe
2408	powershell.exe
1140	powershell.exe
1412	powershell.exe
900	powershell.exe
984	powershell.exe
348	powershell.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Bridgecommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	2728	Bridgecommon.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1656	winlogon.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

059DD6A8CB2D31871BB82DBB158965FA.exeWScript.execmd.exeBridgecommon.execsc.execmd.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 3032	2380	059DD6A8CB2D31871BB82DBB158965FA.exe	30
PID 2380 wrote to memory of 3032	2380	059DD6A8CB2D31871BB82DBB158965FA.exe	30
PID 2380 wrote to memory of 3032	2380	059DD6A8CB2D31871BB82DBB158965FA.exe	30
PID 2380 wrote to memory of 3032	2380	059DD6A8CB2D31871BB82DBB158965FA.exe	30
PID 3032 wrote to memory of 2300	3032	WScript.exe	32
PID 3032 wrote to memory of 2300	3032	WScript.exe	32
PID 3032 wrote to memory of 2300	3032	WScript.exe	32
PID 3032 wrote to memory of 2300	3032	WScript.exe	32
PID 2300 wrote to memory of 2728	2300	cmd.exe	34
PID 2300 wrote to memory of 2728	2300	cmd.exe	34
PID 2300 wrote to memory of 2728	2300	cmd.exe	34
PID 2300 wrote to memory of 2728	2300	cmd.exe	34
PID 2728 wrote to memory of 2012	2728	Bridgecommon.exe	39
PID 2728 wrote to memory of 2012	2728	Bridgecommon.exe	39
PID 2728 wrote to memory of 2012	2728	Bridgecommon.exe	39
PID 2012 wrote to memory of 2116	2012	csc.exe	41
PID 2012 wrote to memory of 2116	2012	csc.exe	41
PID 2012 wrote to memory of 2116	2012	csc.exe	41
PID 2728 wrote to memory of 348	2728	Bridgecommon.exe	57
PID 2728 wrote to memory of 348	2728	Bridgecommon.exe	57
PID 2728 wrote to memory of 348	2728	Bridgecommon.exe	57
PID 2728 wrote to memory of 1412	2728	Bridgecommon.exe	58
PID 2728 wrote to memory of 1412	2728	Bridgecommon.exe	58
PID 2728 wrote to memory of 1412	2728	Bridgecommon.exe	58
PID 2728 wrote to memory of 2408	2728	Bridgecommon.exe	59
PID 2728 wrote to memory of 2408	2728	Bridgecommon.exe	59
PID 2728 wrote to memory of 2408	2728	Bridgecommon.exe	59
PID 2728 wrote to memory of 984	2728	Bridgecommon.exe	60
PID 2728 wrote to memory of 984	2728	Bridgecommon.exe	60
PID 2728 wrote to memory of 984	2728	Bridgecommon.exe	60
PID 2728 wrote to memory of 1140	2728	Bridgecommon.exe	62
PID 2728 wrote to memory of 1140	2728	Bridgecommon.exe	62
PID 2728 wrote to memory of 1140	2728	Bridgecommon.exe	62
PID 2728 wrote to memory of 900	2728	Bridgecommon.exe	64
PID 2728 wrote to memory of 900	2728	Bridgecommon.exe	64
PID 2728 wrote to memory of 900	2728	Bridgecommon.exe	64
PID 2728 wrote to memory of 532	2728	Bridgecommon.exe	69
PID 2728 wrote to memory of 532	2728	Bridgecommon.exe	69
PID 2728 wrote to memory of 532	2728	Bridgecommon.exe	69
PID 532 wrote to memory of 1048	532	cmd.exe	71
PID 532 wrote to memory of 1048	532	cmd.exe	71
PID 532 wrote to memory of 1048	532	cmd.exe	71
PID 532 wrote to memory of 1520	532	cmd.exe	72
PID 532 wrote to memory of 1520	532	cmd.exe	72
PID 532 wrote to memory of 1520	532	cmd.exe	72
PID 532 wrote to memory of 1656	532	cmd.exe	73
PID 532 wrote to memory of 1656	532	cmd.exe	73
PID 532 wrote to memory of 1656	532	cmd.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe
"C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\hyperContaineragent\Bridgecommon.exe
      "C:\hyperContaineragent/Bridgecommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\msllsrzy\msllsrzy.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF27A.tmp" "c:\Windows\System32\CSC10D7AD024B1A4543ACFF25D8D47A68C.TMP"
        6⤵
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPz5dCoxv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1048
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1520
      - C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\hyperContaineragent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\hyperContaineragent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\hyperContaineragent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 10 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 14 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF27A.tmp

Filesize
1KB

MD5
953f877de5cb0b83932685ea300aa5f5

SHA1
10b6c7de2fb67e921da721f4deb478390cfbcb04

SHA256
686a2c35906563acc58e9ad5c703d4b3ac6a5d9eee1e0686f5f6eefc422a52da

SHA512
db67e0595d5214563cf076a146fe81bf78cf316e2ab4ddaafc33a7e8d08e5971e5b94cd1111054f7114f5d4bf3d3b5df7be958d8cfb57ab7d56a6f95b28029dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPz5dCoxv.bat

Filesize
226B

MD5
e272bed2dc2b9c1176de064aa39dc42d

SHA1
c3741ba43aad5b121d40c2759dff40f754e4f0be

SHA256
1a693fcca7abed6e5ec78880f37499e005e083013d4ddec2fa6c2a0390f746e4

SHA512
74d621ec5928c2b487d9225a3e58f08ce37ab8100de45416dae50039e3f5478a6eefbd050fb716a808bfaa90dfa321982107f6f29ebbd5b6c601acb85e4e578d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
19b40e2bcd5766b38882f2c264f264a3

SHA1
429bbdc7cc8f3880248a8fb68da0131aa8f20947

SHA256
af701dd31e45582449e30a6c6ff78841058f3fe0a2250241743ba592942d4fe2

SHA512
a331ced7e9b1b8b58521e46178259a5a3ac33a828c3029b8e61a4ca27bd67c8ab5638efcc50e517176e59faa892d0c8947362b272aa60702af1119461c8e0907

Download Submit
C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe

Filesize
232B

MD5
321b2b59ad9c31cf688937ac999a85af

SHA1
4e427aaa9f2ef8a56da4c78bef071c28db269c36

SHA256
5758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85

SHA512
2e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2

Download Submit
C:\hyperContaineragent\Bridgecommon.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat

Filesize
83B

MD5
df218c1160a79b119167d4dd812857ea

SHA1
e0adece134e3ab420a5eb152b98f89f8b15399bb

SHA256
e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db

SHA512
aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\msllsrzy\msllsrzy.0.cs

Filesize
437B

MD5
ad5b6333fd6778237766be598f952293

SHA1
cfa2411c33f1cd79dc684c4c810bb77a219ee522

SHA256
8dd501e47954418a6178d483c0ae62a9be45d2f3c96c7642039c4d2bdae2c8dd

SHA512
054e7a3dbff20f7c138f49f6e1c527dd6bcae691eb0fd5f09c067ab77b4d186b3676a872cf2ea1682cb0952299a93334775db06bff70b82c264940f0e4763396

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\msllsrzy\msllsrzy.cmdline

Filesize
235B

MD5
4bad0d29e22ab1365a2762e9f61f0ecd

SHA1
bf27641b26e3dfdefd68707fec181a43d6b0b348

SHA256
779d458ebd94fac8786c280913196610f87b438bcade8863e0852950fda5e8b6

SHA512
ce0f36ef294a53b5444e73a43ae263a7924259b082571fa26d2eb3f4eacba1bb1cc156e7291131cd91ae4cf82942f48e0e862c9ce88d4d84efa004f264bda795

Download Submit
\??\c:\Windows\System32\CSC10D7AD024B1A4543ACFF25D8D47A68C.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/1656-76-0x00000000003F0000-0x000000000059A000-memory.dmp

Filesize
1.7MB

Download
memory/2408-49-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2408-47-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2728-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2728-15-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2728-13-0x0000000001240000-0x00000000013EA000-memory.dmp

Filesize
1.7MB

Download