dcrat | 3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
Size

1.9MB
MD5

059dd6a8cb2d31871bb82dbb158965fa
SHA1

10507debf7b1a88791b65fc08a5b995f9b873aee
SHA256

3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb
SHA512

3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e
SSDEEP

24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\hyperContaineragent\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\taskhostw.exe\", \"C:\\hyperContaineragent\\services.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\hyperContaineragent\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\taskhostw.exe\", \"C:\\hyperContaineragent\\services.exe\", \"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\hyperContaineragent\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\hyperContaineragent\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\hyperContaineragent\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\taskhostw.exe\""	Bridgecommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1256	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1256	schtasks.exe	92

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe
2500	powershell.exe
4848	powershell.exe
4116	powershell.exe
4984	powershell.exe
1520	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Bridgecommon.exe

Executes dropped EXE 2 IoCs

pid	Process
3472	Bridgecommon.exe
4672	Bridgecommon.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\taskhostw.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\taskhostw.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\hyperContaineragent\\services.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Documents\\Idle.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Documents\\Idle.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\hyperContaineragent\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\hyperContaineragent\\dllhost.exe\""	Bridgecommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\hyperContaineragent\\services.exe\""	Bridgecommon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD57A2A8CE94F45FFB6B91E4169A09996.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe	Bridgecommon.exe
File created	C:\Program Files\Mozilla Firefox\fonts\ea9f0e6c9e2dcd	Bridgecommon.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Bridgecommon.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	Bridgecommon.exe
File created	C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe	Bridgecommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Bridgecommon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4460	schtasks.exe
2208	schtasks.exe
1848	schtasks.exe
2576	schtasks.exe
5100	schtasks.exe
4960	schtasks.exe
512	schtasks.exe
984	schtasks.exe
2276	schtasks.exe
4776	schtasks.exe
4244	schtasks.exe
1292	schtasks.exe
3928	schtasks.exe
1116	schtasks.exe
5004	schtasks.exe
1704	schtasks.exe
4304	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
3472	Bridgecommon.exe
4984	powershell.exe
4984	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
2384	powershell.exe
2384	powershell.exe
4848	powershell.exe
4848	powershell.exe
1520	powershell.exe
1520	powershell.exe
4848	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4984	powershell.exe
2384	powershell.exe
1520	powershell.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe
4672	Bridgecommon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	Bridgecommon.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4672	Bridgecommon.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3992	3064	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe	87
PID 3064 wrote to memory of 3992	3064	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe	87
PID 3064 wrote to memory of 3992	3064	3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe	87
PID 3992 wrote to memory of 5000	3992	WScript.exe	96
PID 3992 wrote to memory of 5000	3992	WScript.exe	96
PID 3992 wrote to memory of 5000	3992	WScript.exe	96
PID 5000 wrote to memory of 3472	5000	cmd.exe	98
PID 5000 wrote to memory of 3472	5000	cmd.exe	98
PID 3472 wrote to memory of 684	3472	Bridgecommon.exe	102
PID 3472 wrote to memory of 684	3472	Bridgecommon.exe	102
PID 684 wrote to memory of 4976	684	csc.exe	104
PID 684 wrote to memory of 4976	684	csc.exe	104
PID 3472 wrote to memory of 4116	3472	Bridgecommon.exe	120
PID 3472 wrote to memory of 4116	3472	Bridgecommon.exe	120
PID 3472 wrote to memory of 4848	3472	Bridgecommon.exe	121
PID 3472 wrote to memory of 4848	3472	Bridgecommon.exe	121
PID 3472 wrote to memory of 4984	3472	Bridgecommon.exe	122
PID 3472 wrote to memory of 4984	3472	Bridgecommon.exe	122
PID 3472 wrote to memory of 2500	3472	Bridgecommon.exe	123
PID 3472 wrote to memory of 2500	3472	Bridgecommon.exe	123
PID 3472 wrote to memory of 2384	3472	Bridgecommon.exe	124
PID 3472 wrote to memory of 2384	3472	Bridgecommon.exe	124
PID 3472 wrote to memory of 1520	3472	Bridgecommon.exe	125
PID 3472 wrote to memory of 1520	3472	Bridgecommon.exe	125
PID 3472 wrote to memory of 2784	3472	Bridgecommon.exe	132
PID 3472 wrote to memory of 2784	3472	Bridgecommon.exe	132
PID 2784 wrote to memory of 2552	2784	cmd.exe	134
PID 2784 wrote to memory of 2552	2784	cmd.exe	134
PID 2784 wrote to memory of 4304	2784	cmd.exe	135
PID 2784 wrote to memory of 4304	2784	cmd.exe	135
PID 2784 wrote to memory of 4672	2784	cmd.exe	136
PID 2784 wrote to memory of 4672	2784	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
"C:\Users\Admin\AppData\Local\Temp\3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\hyperContaineragent\Bridgecommon.exe
      "C:\hyperContaineragent/Bridgecommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr0xebhp\xr0xebhp.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp" "c:\Windows\System32\CSCD57A2A8CE94F45FFB6B91E4169A09996.TMP"
        6⤵
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ADQCeVkDb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2552
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4304
      - C:\hyperContaineragent\Bridgecommon.exe
        
        "C:\hyperContaineragent\Bridgecommon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\hyperContaineragent\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\hyperContaineragent\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\hyperContaineragent\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\hyperContaineragent\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\hyperContaineragent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\hyperContaineragent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 8 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 8 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgecommon.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
8b6fadaecc382ff82da19a6e9d383a08

SHA1
fb54b49b29217e622de68fbe7fe82bddc85f5627

SHA256
81f7faf702d3553b4f9e951f48c1e50603627d2c02c030eaca239aa4d893e868

SHA512
a4762d0f45714cf471136d46ef30256c9b21f20b94b2421181ad0a51bcd711d8a71204b4c621c8cce264d8c2eef1461498ef7229d6304cf29aaf3ad401346efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ADQCeVkDb.bat

Filesize
215B

MD5
706e47384a4cc397ea2724c8b75314aa

SHA1
25e0e2a943f1800b929a480530a6ec421f45b279

SHA256
164eff2fe391fed8fab74ecdd004a8c55c6aa1e0a5f41a210580998df848e227

SHA512
83bb4f87674ef375f7a9e5a2e24d12d053c318094d5e36324125c2e75f1b90f5ee75ebab5b59ec8f197f550f2758fd9b4d4b0bcb67b04992a7324a799f1e4506

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp

Filesize
1KB

MD5
7be59bb69aaf5a20390404b7ab63c5e1

SHA1
fd20a2b618767ce05da340a263816815e463c231

SHA256
9b25b562545e7acbdb068a141453d85fe888a5e683de63e38ce111ede639320e

SHA512
7737a8d880e2e73dafa4478190cb8e4d3d6b061fdf48d48e3cb154ae047362214b0f6b08117bc81819925e028624b2d5189da5d5442ec7022869f548120d6232

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hazn3oe.lhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe

Filesize
232B

MD5
321b2b59ad9c31cf688937ac999a85af

SHA1
4e427aaa9f2ef8a56da4c78bef071c28db269c36

SHA256
5758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85

SHA512
2e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2

Download Submit
C:\hyperContaineragent\Bridgecommon.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat

Filesize
83B

MD5
df218c1160a79b119167d4dd812857ea

SHA1
e0adece134e3ab420a5eb152b98f89f8b15399bb

SHA256
e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db

SHA512
aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xr0xebhp\xr0xebhp.0.cs

Filesize
369B

MD5
f10224e3a7648b447add1dd965e75b52

SHA1
83ae924d7a3c841e4a348b654be7db416111daeb

SHA256
17e7ae9ed96c77d6cdc50b4a5259cb6c0a83af608796d49486b8ffe0c3cc28f3

SHA512
c515dd2a3e88a953846c2c0f5459c3a2bbe6fd7a9b625b2f3f8e4cef76525ff7ca8c65c7f4531608802cfb3f65e9fb4dd1e839baf15caa25553f56d96125a96c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xr0xebhp\xr0xebhp.cmdline

Filesize
235B

MD5
d0f7c809c4c28ee79a22c218f65a7d31

SHA1
f8598185574d729a0f9d637834f7dc2ac83903db

SHA256
55da52897b8c1742b8d97e20373eb0ae865203a0e67e8185faccbdfeb1d4c0fd

SHA512
6c9be9257e90d30a66889a22546071a4af6a2dd3e1ba8e492f88447836e383014f56bb0b510ed4b9457eb653ec11d1426db221d97858c6a014199b506ec513f2

Download Submit
\??\c:\Windows\System32\CSCD57A2A8CE94F45FFB6B91E4169A09996.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/2500-54-0x0000029FD1B20000-0x0000029FD1B42000-memory.dmp

Filesize
136KB

Download
memory/3472-74-0x000000001BB40000-0x000000001BB8E000-memory.dmp

Filesize
312KB

Download
memory/3472-17-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/3472-15-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3472-13-0x0000000000E20000-0x0000000000FCA000-memory.dmp

Filesize
1.7MB

Download
memory/3472-12-0x00007FFBC2F53000-0x00007FFBC2F55000-memory.dmp

Filesize
8KB

Download
memory/4672-120-0x000000001C3B0000-0x000000001C3FE000-memory.dmp

Filesize
312KB

Download