dcrat | 0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.exe
Size

3.7MB
MD5

934f077da68d3fda26839f06286b71e4
SHA1

f805ec2e43d7518d420b94b954fd6b4e640ef64d
SHA256

0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b
SHA512

85e2bff55ce5aa6569d50146a3d95c611f774605fa9a8ee041cede3a928bf7585943e63aaf9eb5b14dc4d25fe6bee3e57d58c9b586653322300aaa67e87dd714
SSDEEP

49152:UbA30FDlon6ZtXRUNAtf3zkDcpigc4Jp8+bF5BxiLFHqzQ6yQH2lJwtYv2:UbZ7tXyNAtf3Rigc4n58xHqzQ6TH2Lel

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	3068	schtasks.exe	35

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000164b1-14.dat	dcrat
behavioral1/memory/2672-18-0x00000000012F0000-0x000000000165A000-memory.dmp	dcrat
behavioral1/memory/1444-84-0x0000000000330000-0x000000000069A000-memory.dmp	dcrat
behavioral1/memory/2272-102-0x0000000000C50000-0x0000000000FBA000-memory.dmp	dcrat

Executes dropped EXE 6 IoCs

pid	Process
2672	hyperblockDll.exe
1444	wininit.exe
2056	wininit.exe
2272	wininit.exe
2460	wininit.exe
1696	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	cmd.exe
2112	cmd.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72	hyperblockDll.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\6cb0b6c459d5d3	hyperblockDll.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\explorer.exe	hyperblockDll.exe
File created	C:\Windows\AppCompat\7a0fd90576e088	hyperblockDll.exe
File created	C:\Windows\Cursors\sppsvc.exe	hyperblockDll.exe
File created	C:\Windows\Cursors\0a1fd5f707cd16	hyperblockDll.exe
File created	C:\Windows\it-IT\System.exe	hyperblockDll.exe
File opened for modification	C:\Windows\it-IT\System.exe	hyperblockDll.exe
File created	C:\Windows\addins\OSPPSVC.exe	hyperblockDll.exe
File created	C:\Windows\it-IT\27d1bcfc3c54e0	hyperblockDll.exe
File created	C:\Windows\addins\1610b97d3ab4a7	hyperblockDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1576	schtasks.exe
1168	schtasks.exe
1092	schtasks.exe
2492	schtasks.exe
2644	schtasks.exe
1048	schtasks.exe
776	schtasks.exe
1424	schtasks.exe
236	schtasks.exe
1660	schtasks.exe
2980	schtasks.exe
600	schtasks.exe
1696	schtasks.exe
2400	schtasks.exe
964	schtasks.exe
2956	schtasks.exe
3048	schtasks.exe
1812	schtasks.exe
2204	schtasks.exe
1896	schtasks.exe
704	schtasks.exe
2460	schtasks.exe
2184	schtasks.exe
1672	schtasks.exe
1980	schtasks.exe
1728	schtasks.exe
2236	schtasks.exe
1336	schtasks.exe
784	schtasks.exe
1668	schtasks.exe
2052	schtasks.exe
1704	schtasks.exe
1608	schtasks.exe
640	schtasks.exe
2456	schtasks.exe
292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
2672	hyperblockDll.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
1444	wininit.exe
2272	wininit.exe
2272	wininit.exe
2272	wininit.exe
2272	wininit.exe
2272	wininit.exe
2272	wininit.exe
2272	wininit.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	hyperblockDll.exe
Token: SeDebugPrivilege	1444	wininit.exe
Token: SeDebugPrivilege	2272	wininit.exe
Token: SeDebugPrivilege	2056	wininit.exe
Token: SeDebugPrivilege	2460	wininit.exe
Token: SeDebugPrivilege	1696	wininit.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2816	2612	.exe	30
PID 2612 wrote to memory of 2816	2612	.exe	30
PID 2612 wrote to memory of 2816	2612	.exe	30
PID 2612 wrote to memory of 2816	2612	.exe	30
PID 2612 wrote to memory of 2448	2612	.exe	31
PID 2612 wrote to memory of 2448	2612	.exe	31
PID 2612 wrote to memory of 2448	2612	.exe	31
PID 2612 wrote to memory of 2448	2612	.exe	31
PID 2816 wrote to memory of 2112	2816	WScript.exe	32
PID 2816 wrote to memory of 2112	2816	WScript.exe	32
PID 2816 wrote to memory of 2112	2816	WScript.exe	32
PID 2816 wrote to memory of 2112	2816	WScript.exe	32
PID 2112 wrote to memory of 2672	2112	cmd.exe	34
PID 2112 wrote to memory of 2672	2112	cmd.exe	34
PID 2112 wrote to memory of 2672	2112	cmd.exe	34
PID 2112 wrote to memory of 2672	2112	cmd.exe	34
PID 2672 wrote to memory of 1444	2672	hyperblockDll.exe	72
PID 2672 wrote to memory of 1444	2672	hyperblockDll.exe	72
PID 2672 wrote to memory of 1444	2672	hyperblockDll.exe	72
PID 1444 wrote to memory of 2140	1444	wininit.exe	73
PID 1444 wrote to memory of 2140	1444	wininit.exe	73
PID 1444 wrote to memory of 2140	1444	wininit.exe	73
PID 1444 wrote to memory of 2096	1444	wininit.exe	74
PID 1444 wrote to memory of 2096	1444	wininit.exe	74
PID 1444 wrote to memory of 2096	1444	wininit.exe	74
PID 1444 wrote to memory of 2500	1444	wininit.exe	75
PID 1444 wrote to memory of 2500	1444	wininit.exe	75
PID 1444 wrote to memory of 2500	1444	wininit.exe	75
PID 2500 wrote to memory of 1332	2500	cmd.exe	77
PID 2500 wrote to memory of 1332	2500	cmd.exe	77
PID 2500 wrote to memory of 1332	2500	cmd.exe	77
PID 2500 wrote to memory of 2056	2500	cmd.exe	78
PID 2500 wrote to memory of 2056	2500	cmd.exe	78
PID 2500 wrote to memory of 2056	2500	cmd.exe	78
PID 2140 wrote to memory of 2272	2140	WScript.exe	79
PID 2140 wrote to memory of 2272	2140	WScript.exe	79
PID 2140 wrote to memory of 2272	2140	WScript.exe	79
PID 2272 wrote to memory of 2188	2272	wininit.exe	80
PID 2272 wrote to memory of 2188	2272	wininit.exe	80
PID 2272 wrote to memory of 2188	2272	wininit.exe	80
PID 2272 wrote to memory of 860	2272	wininit.exe	81
PID 2272 wrote to memory of 860	2272	wininit.exe	81
PID 2272 wrote to memory of 860	2272	wininit.exe	81
PID 860 wrote to memory of 1584	860	cmd.exe	83
PID 860 wrote to memory of 1584	860	cmd.exe	83
PID 860 wrote to memory of 1584	860	cmd.exe	83
PID 2188 wrote to memory of 2460	2188	WScript.exe	84
PID 2188 wrote to memory of 2460	2188	WScript.exe	84
PID 2188 wrote to memory of 2460	2188	WScript.exe	84
PID 860 wrote to memory of 1696	860	cmd.exe	85
PID 860 wrote to memory of 1696	860	cmd.exe	85
PID 860 wrote to memory of 1696	860	cmd.exe	85

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\lcZ6MvLb.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\BridgehyperchainportAgent\hyperblockDll.exe
      "C:\BridgehyperchainportAgent\hyperblockDll.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2672
    - - C:\Users\Admin\Recent\wininit.exe
        
        "C:\Users\Admin\Recent\wininit.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1444
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f28706c6-64ba-4979-a250-aed8aa89e576.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\Recent\wininit.exe
        
        C:\Users\Admin\Recent\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad4f017b-3b4b-4fdb-bb4d-266b92f5534a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\Recent\wininit.exe
        
        C:\Users\Admin\Recent\wininit.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xWHO9s60Nc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1584
        
        C:\Users\Admin\Recent\wininit.exe
        
        "C:\Users\Admin\Recent\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608c2997-00c8-4681-be38-1ac60861bc5a.vbs"
        6⤵
        
        PID:2096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uADm9B5586.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1332
        
        C:\Users\Admin\Recent\wininit.exe
        
        "C:\Users\Admin\Recent\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\BridgehyperchainportAgent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\BridgehyperchainportAgent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppCompat\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\BridgehyperchainportAgent\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\BridgehyperchainportAgent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\BridgehyperchainportAgent\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\BridgehyperchainportAgent\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat

Filesize
48B

MD5
efb9b32455839f2f1e46065e13aeb93f

SHA1
cae49ccdd500a9808ac144387b15ad6ced46c036

SHA256
611d9c30bfabaaa6e9aee5c75025b71dca9116c45300ac325febeefe2d5b0e24

SHA512
351d053f36e497238add089f19e30f164c1110be7826d58e7fb71705b06a7d6d51789add692ac08af4c1e613e3f9c54789a5c8f707ad302a70bcd379645cff1c

Download Submit
C:\BridgehyperchainportAgent\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BridgehyperchainportAgent\lcZ6MvLb.vbe

Filesize
231B

MD5
05a47a3e17c29bf5b8bc6949a26ccb44

SHA1
87e896625a30943a252a839ba3e22507422bbb04

SHA256
85f873ac1def74dea8180c0cce0084490505d2bc213abf34d3a95fda4b92c63f

SHA512
72ef9bb092cfbc824341aa0075ee594b410e9afea3a8ae40c0f1743a4cb2528005701099ef156dc0f2a2da4474809f1d5995e01d12c6ac36f0cc7ae6baf8f64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\608c2997-00c8-4681-be38-1ac60861bc5a.vbs

Filesize
485B

MD5
701b9348130e58c17e6d6ec4c5bc855d

SHA1
05b510c4d08807a3c26b4b8a5823da658abd9ec8

SHA256
68afcb80e5db12f986ea0b549fde28d4759b20c0f7ac5cb3cecd81350badb37c

SHA512
2f56261b7a58690b0c6cfb117d11d9ea67b9522231f56052bb7c80244a6b19882f7413904cb2b9e464f74efc07f80dcc8174bd84eb4d3ab2f565aed05c7d07c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad4f017b-3b4b-4fdb-bb4d-266b92f5534a.vbs

Filesize
709B

MD5
14d20cb0ddbc965b493b4d37da7174c8

SHA1
c3c787edabf61ddc4bea309b3c83386b7465dc53

SHA256
13b84843e197a4716ad857bd30310d6cbd1fba3fa2fc893a2ac59b97b5bba80a

SHA512
8c8f5a53619044df0fdccfa253ab8e2744db4eba631913316ae6f000a9f2380604fc3867655872c92f2a2485df3f1fc645acccd87d67632020e9887b88db99ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f28706c6-64ba-4979-a250-aed8aa89e576.vbs

Filesize
709B

MD5
b76221ff3554d711f1f745ff9b82719b

SHA1
73475548049ca67e87c8fa105d050c570a646976

SHA256
258b7a1f71cd43895120002158c972b0d34ee3061d833645d71014b60e3b4643

SHA512
3f970fda6481dca265630964bef182a7530c616c22773062bbcf6d8faaa06bfd8c96e54e63e42ab103ce07657d72d1d59d3a8ee7c9ded23053d0b65a6104f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\uADm9B5586.bat

Filesize
198B

MD5
c225ed8c5dd5458764302b495bd9796d

SHA1
12697253aaf01ea46d50de91c3a7a8599825651b

SHA256
92b04b394d9a866dc0a351085907f820f977f859bed36abda195a30754bd490d

SHA512
f598a8d37e6dcc60af0a0cfd5c92f3d8a77f6ff7aff68008eae34b2032a827256523e788bb041bc11cba17b1e2733e004ada165acdefae1c1db7e9dcf768b00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWHO9s60Nc.bat

Filesize
198B

MD5
b4ed02b8f707aa4993b33b639dd80615

SHA1
7af95335adff8d300303b3ec2480d881f4b2baca

SHA256
4ac6104602d9e452debcdb17fdbe4b1bb8d095b4a5014b4c7c327d5a7a0dde77

SHA512
d98ae157a2ec03b9db078b7c7cd162c86563f47014added4b952dafd66308b879639e0a20ad22c8972779734a779749d23b707d1582586d0df5d8a17c6cc59a2

Download Submit
\BridgehyperchainportAgent\hyperblockDll.exe

Filesize
3.4MB

MD5
df6d3aff42df48d0830227cae92e6bd6

SHA1
bf7f75fd82694b2a44098df2b28c2db35e7ea142

SHA256
05b5df5bc84e193fba3aa26d1b20cb81faa7b176a24a8df2238c8ed61e6e583a

SHA512
07163831729582397fdbdcef5d921750b2968b9d555fd0b881913ae1b283573e4efc827d0eb51552882743b541e44ff2a8dbf0d99a4e5c3f47228a4536bab64a

Download Submit
memory/1444-85-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/1444-84-0x0000000000330000-0x000000000069A000-memory.dmp

Filesize
3.4MB

Download
memory/2272-102-0x0000000000C50000-0x0000000000FBA000-memory.dmp

Filesize
3.4MB

Download
memory/2672-38-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2672-43-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2672-28-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2672-29-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2672-30-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2672-31-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2672-32-0x0000000000B30000-0x0000000000B86000-memory.dmp

Filesize
344KB

Download
memory/2672-33-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2672-34-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2672-35-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2672-36-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2672-37-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2672-26-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2672-39-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2672-40-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2672-41-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2672-42-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2672-27-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2672-44-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2672-45-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/2672-46-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2672-47-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2672-48-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2672-49-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2672-50-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2672-51-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2672-52-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2672-53-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2672-25-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2672-24-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2672-23-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2672-22-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2672-21-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2672-20-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2672-19-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/2672-18-0x00000000012F0000-0x000000000165A000-memory.dmp

Filesize
3.4MB

Download