dcrat | de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067

Analysis

max time kernel
60s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

1.1MB
MD5

4a00e42d19f9bae651f70e79cd5ef162
SHA1

b196db8fc96765b65f9da36f7c55664e9c756bb9
SHA256

de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067
SHA512

69735af42d4d44ff7814beacee6a0b80a841f44f09962a5d42ab9fdac673971fcd10e76de53b25ce19693fe6826e557fc8fe4721b3611ac22efbfa76f7405055
SSDEEP

24576:u2G/nvxW3WieCs/p/1uLbrQZVK8qBlKSUd:ubA3j7TQL3Ane

Score

10^/10

dcrat credential_access discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x001d00000002aaff-10.dat	dcrat
behavioral2/memory/2852-13-0x00000000004D0000-0x00000000005A6000-memory.dmp	dcrat

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
2852	Bridgesurrogate.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	Bridgesurrogate.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
3	ipinfo.io

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	Bridgesurrogate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-100_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-32.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-400.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSplashScreen.contrast-black_scale-125.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadSmallTile.scale-125.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\de-DE\Cortana.bin	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.types.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\DashboardLib\WebView2Loader.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-20_altform-lightunplated.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-72_altform-unplated_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-100.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.TerminalConnection.winmd	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\FluentColors.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\warn.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\LargeTile.scale-200.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.Devices.Custom.CustomDeviceContract.winmd	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\safeRequestAnimationFrame.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui	Bridgesurrogate.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IAnimationStyles.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml	Bridgesurrogate.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-100_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-16_altform-lightunplated.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\IRenderFunction.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Sticky.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardImage.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\setPortalAttribute.js	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-125.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-36.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-24.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\LensSDK\Assets\EnsoUI\dashboard_slomo_OFF.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.scale-200_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_AutumnLeaves_Thumbnail.jpg	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200_contrast-black.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_contrast-white.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-125.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Xml.dll	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesMedTile.scale-200_contrast-black.png	Bridgesurrogate.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare71x71Logo.scale-100.png	Bridgesurrogate.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.22000.434_pt-br_83a272a288814d50.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.469_en-us_150abcceef0c80ce.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.184.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Clipboard-Package~31bf3856ad364e35~amd64~~10.0.22000.282.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Activities.Core.Presentation.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_ca-es_e415ba079232652c.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-hta-package-o..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_et-ee_a849ae95257bc8d1.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\INF\c_sdhost.inf	Bridgesurrogate.exe
File opened for modification	C:\Windows\INF\ESENT\0409\esentprf.ini	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Activities.Core.Presentation.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Guest-DynamicMemory-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.469.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ObjectModel.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\Microsoft.Data.Entity.Build.Tasks.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ui-networkuxcontroller_31bf3856ad364e35_10.0.22000.37_none_c161361bf1d79027.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..access-userdataapis_31bf3856ad364e35_10.0.22000.41_none_ec1d56b3dd0434a4.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windows-containeros..oyment-languagepack_31bf3856ad364e35_10.0.22000.184_en-us_86a95ee62b0753ee.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-NanoServer-Package-Wrapper~31bf3856ad364e35~amd64~sk-SK~10.0.22000.184.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.184.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-Package~31bf3856ad364e35~amd64~eu-ES~10.0.22000.41.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Biometrics-FaceRecognition-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sr-Latn-RS~10.0.22000.184.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.37.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\INF\mf.inf	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-taskbar-dll.resources_31bf3856ad364e35_10.0.22000.184_ar-sa_8b9cc67dbb80c384.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\SystemSettings.exe.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\INF\mdmarn.inf	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\SMDiagnostics.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-diag_31bf3856ad364e35_10.0.22000.71_none_95c097b2f915eab1.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-merged-Package~31bf3856ad364e35~amd64~hu-HU~10.0.22000.184.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\Boot\EFI\sv-SE\bootmgr.efi.mui	Bridgesurrogate.exe
File opened for modification	C:\Windows\Cursors\help_r.cur	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja-JP\WorkflowServiceHostPerformanceCounters.dll.mui	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_17970edfa828c1ec.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~~10.0.22000.434.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~zh-TW~10.0.22000.282.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Hyper-V-WinPE-Drivers-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.469.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\rescache\_merged\771651726\3578953693.pri	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~es-MX~10.0.22000.184.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~nb-NO~10.0.22000.469.mum	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.DataSetExtensions.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Configuration.xml	Bridgesurrogate.exe
File opened for modification	C:\Windows\schemas\EAPHost\baseeapconnectionpropertiesv1.xsd	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_sr-..-rs_931a79bdde7839d7.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_bg-bg_1f3acc0fdbecd99c.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-merged-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.120.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\INF\netwew01.inf	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_fr-ca_570d54aa5f752ec7.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dictionaries-danish_31bf3856ad364e35_10.0.22000.348_none_857b15025745f7b9.manifest	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~ca-ES~10.0.22000.37.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.37.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Vpci-VirtualDevice-Gpup-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Hypervisor-API-Package~31bf3856ad364e35~amd64~~10.0.22000.71.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.22000.184.cat	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Configuration.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Xaml.Hosting.resources.dll	Bridgesurrogate.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~eu-es~1.0.mum	Bridgesurrogate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	test.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe
2852	Bridgesurrogate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	Bridgesurrogate.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2892	2292	test.exe	79
PID 2292 wrote to memory of 2892	2292	test.exe	79
PID 2292 wrote to memory of 2892	2292	test.exe	79
PID 2892 wrote to memory of 444	2892	WScript.exe	80
PID 2892 wrote to memory of 444	2892	WScript.exe	80
PID 2892 wrote to memory of 444	2892	WScript.exe	80
PID 444 wrote to memory of 2852	444	cmd.exe	82
PID 444 wrote to memory of 2852	444	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\FontreviewwincommonSvc\Bridgesurrogate.exe
      "C:\FontreviewwincommonSvc\Bridgesurrogate.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Drops autorun.inf file
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

Filesize
829KB

MD5
925278f34e704b81d9a837d26a72657b

SHA1
404bb676c8298adc01e660ba763fbf6ec08137e8

SHA256
2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d

SHA512
608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7

Download Submit
C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe

Filesize
204B

MD5
0eab06ef6873fb013c9f2babf77657cb

SHA1
d0a76df0228e4ce0d5d4a013f54610ebb39d3a90

SHA256
641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1

SHA512
b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe

Download Submit
C:\FontreviewwincommonSvc\Y0CpU.bat

Filesize
47B

MD5
7847aa1435648c93f0af222aa269b12b

SHA1
445fdd35740aada074adc4596e0cde2449865b60

SHA256
70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef

SHA512
3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d

Download Submit
memory/2852-12-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

Filesize
8KB

Download
memory/2852-13-0x00000000004D0000-0x00000000005A6000-memory.dmp

Filesize
856KB

Download
memory/2852-16-0x000000001B3B0000-0x000000001B3BD000-memory.dmp

Filesize
52KB

Download
memory/2852-15-0x000000001B230000-0x000000001B239000-memory.dmp

Filesize
36KB

Download
memory/2852-14-0x000000001C030000-0x000000001C076000-memory.dmp

Filesize
280KB

Download
memory/2852-19-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

Filesize
8KB

Download
memory/2852-18-0x000000001B3C0000-0x000000001B3CB000-memory.dmp

Filesize
44KB

Download
memory/2852-17-0x000000001C080000-0x000000001C09E000-memory.dmp

Filesize
120KB

Download