Overview

overview

10

Static

static

10

Bridgewebsvc.exe

windows11-21h2-x64

10

Resubmissions

16-11-2024 10:31

241116-mkna4sylcm 10

Analysis

  • max time kernel
    7s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-11-2024 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bridgewebsvc.exe

  • Size

    828KB

  • MD5

    fddea23e803e9e5de212e4c0475c8f93

  • SHA1

    c4426bf36ce54917155da2bfbec1508c5a799664

  • SHA256

    f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6

  • SHA512

    05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591

  • SSDEEP

    12288:F+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3DhsHxrofdV:5STuMMATKPTVgxr4

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bridgewebsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\Bridgewebsvc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOviiU4MXS.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:732
        • C:\Recovery\WindowsRE\backgroundTaskHost.exe
          "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\backgroundTaskHost.exe
      Filesize

      828KB

      MD5

      fddea23e803e9e5de212e4c0475c8f93

      SHA1

      c4426bf36ce54917155da2bfbec1508c5a799664

      SHA256

      f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6

      SHA512

      05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uOviiU4MXS.bat
      Filesize

      209B

      MD5

      c7e9be07c0a4da46e774a084e78caa7a

      SHA1

      033f70a926040cb3bbd0cc176e18b18066cff4ed

      SHA256

      ed658d11a20c24bf795d1084e272e217c74a0dd550f7fdab29b7ffb7f2a5c273

      SHA512

      09a55667b1dba441757a3266721fd999d6c822b7168c8587805040f127686e8c5812900e699582ed1702659ab6e5b046e919c2ee3e1fb4d7619a402d4eafde5f

      Download Submit

    • memory/3480-0-0x00007FFCFF133000-0x00007FFCFF135000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3480-1-0x0000000000BA0000-0x0000000000C76000-memory.dmp

      Filesize

      856KB

      Download

    • memory/3480-2-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3480-14-0x00007FFCFF130000-0x00007FFCFFBF2000-memory.dmp

      Filesize

      10.8MB

      Download