dcrat | c2fc34d4e0c21d93bb27de86004031c5d6a7aa359f3b9c511d6a771df9d8bec0

Analysis

max time kernel
42s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

2.1MB
MD5

46ee914172c6a86f6545e8afdcbddb60
SHA1

1e40ed9b6d1f8f24b9692c4b600a04a0fabac121
SHA256

c2fc34d4e0c21d93bb27de86004031c5d6a7aa359f3b9c511d6a771df9d8bec0
SHA512

55025faa2d309fc959d07573273559ea3007d8bcf4242417d81965678638ee27a3465be96ce21ee3398edc84dc2d385237a8a1845d037802ddab4be8421f28dd
SSDEEP

24576:lTbBv5rUfSyHO85Zn6VSnaS/6fRkJ9v82URnpQKm+9nHjLJAWCNGQj1EHzpp4o5R:PBZ076i7v8ZjQ6PJAWCNFp0zpphFaF4

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\Registry.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\Registry.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Bridgechainsurrogateagentbrowser\\surrogateWeb.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Users\\Public\\smss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\Registry.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\Registry.exe\", \"C:\\Users\\Default User\\csrss.exe\""	surrogateWeb.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1452	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1452	schtasks.exe	81

Executes dropped EXE 2 IoCs

pid	Process
2956	surrogateWeb.exe
252	surrogateWeb.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\surrogateWeb = "\"C:\\Bridgechainsurrogateagentbrowser\\surrogateWeb.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsass.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default User\\Registry.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default User\\Registry.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	surrogateWeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surrogateWeb = "\"C:\\Bridgechainsurrogateagentbrowser\\surrogateWeb.exe\""	surrogateWeb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC828C0E18BD5434C89F65C9BB251D6F2.TMP	csc.exe
File created	\??\c:\Windows\System32\08qcxp.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	surrogateWeb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	surrogateWeb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\SppExtComObj.exe	surrogateWeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4560	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	SolaraBootstrapper.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	surrogateWeb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4560	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1016	schtasks.exe
4984	schtasks.exe
4396	schtasks.exe
3320	schtasks.exe
3684	schtasks.exe
3096	schtasks.exe
3140	schtasks.exe
2944	schtasks.exe
1664	schtasks.exe
3848	schtasks.exe
4180	schtasks.exe
984	schtasks.exe
1564	schtasks.exe
2884	schtasks.exe
1324	schtasks.exe
2388	schtasks.exe
2228	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe
2956	surrogateWeb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	surrogateWeb.exe
Token: SeDebugPrivilege	252	surrogateWeb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1724	4456	SolaraBootstrapper.exe	77
PID 4456 wrote to memory of 1724	4456	SolaraBootstrapper.exe	77
PID 4456 wrote to memory of 1724	4456	SolaraBootstrapper.exe	77
PID 1724 wrote to memory of 3896	1724	WScript.exe	78
PID 1724 wrote to memory of 3896	1724	WScript.exe	78
PID 1724 wrote to memory of 3896	1724	WScript.exe	78
PID 3896 wrote to memory of 2956	3896	cmd.exe	80
PID 3896 wrote to memory of 2956	3896	cmd.exe	80
PID 2956 wrote to memory of 3856	2956	surrogateWeb.exe	85
PID 2956 wrote to memory of 3856	2956	surrogateWeb.exe	85
PID 3856 wrote to memory of 2308	3856	csc.exe	87
PID 3856 wrote to memory of 2308	3856	csc.exe	87
PID 2956 wrote to memory of 900	2956	surrogateWeb.exe	103
PID 2956 wrote to memory of 900	2956	surrogateWeb.exe	103
PID 900 wrote to memory of 2284	900	cmd.exe	105
PID 900 wrote to memory of 2284	900	cmd.exe	105
PID 900 wrote to memory of 4560	900	cmd.exe	106
PID 900 wrote to memory of 4560	900	cmd.exe	106
PID 900 wrote to memory of 252	900	cmd.exe	107
PID 900 wrote to memory of 252	900	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgechainsurrogateagentbrowser\R4bQkR26AwLGB.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Bridgechainsurrogateagentbrowser\2z7j8ywMSttrtokDo1GfN5BjEwI0VbLwwreu6qvZV73bjR7gSvf.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe
      "C:\Bridgechainsurrogateagentbrowser/surrogateWeb.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1utvkbc\d1utvkbc.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52F5.tmp" "c:\Windows\System32\CSC828C0E18BD5434C89F65C9BB251D6F2.TMP"
        6⤵
        
        PID:2308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kryif6aGvq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2284
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4560
      - C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe
        
        "C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateWebs" /sc MINUTE /mo 6 /tr "'C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateWeb" /sc ONLOGON /tr "'C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateWebs" /sc MINUTE /mo 14 /tr "'C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgechainsurrogateagentbrowser\2z7j8ywMSttrtokDo1GfN5BjEwI0VbLwwreu6qvZV73bjR7gSvf.bat

Filesize
92B

MD5
ad11ef1a91a55fc9a09e2840055b0258

SHA1
3f589bc2aae7340214c485d95d53707fb17b0ee1

SHA256
01aa37908591454f6b5e625aa85b11c6974c9b626a807b5891c122ac3457ad91

SHA512
e67730a318efb93b6f89aab6d3db48486837d3a94a8126f70de1431f34e0be9a931725f43de9afbaf85222f37ec306cdc2b00764f954155e034316fdf791f9c5

Download Submit
C:\Bridgechainsurrogateagentbrowser\R4bQkR26AwLGB.vbe

Filesize
262B

MD5
2bcf9ddfda6a272a00e0b9722d626289

SHA1
2ac291e1a6a29a8e5a44af1af399a4aa3614369a

SHA256
038b7a454b7ae1feb6ebae9c44e24ff85fb0c6aed3a9087e9c624a1dc90986f6

SHA512
7ad1af0b1bc0582859b86a9409baa0c31e60b2c94083dd44bf6f7fda92b5ff529b688fb1fa0e09e0e095b5352475ce533cdd32dfd578711587a4aade93fb6193

Download Submit
C:\Bridgechainsurrogateagentbrowser\surrogateWeb.exe

Filesize
1.8MB

MD5
3723476203e1b4cbe80798f841591b12

SHA1
2202dbf0c1b219d1dc628e28b358850d8653e921

SHA256
7084cb8a428b34e2dc5f6301fd0d76f87292376545f9976cf1da56f45170984b

SHA512
69a220f8d3e77c47625dd6de863cd6e27f4b0650c8e395d5cecbd067e67be441bdbda0419a70a107ed08afa553c31e91c4e80ae7b07a197fe06978c4565915b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\surrogateWeb.exe.log

Filesize
1KB

MD5
1126a1de0a15000f1687b171641ffea6

SHA1
dcc99b2446d05b8f0f970e3e9105198a20ca9e78

SHA256
b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7

SHA512
6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES52F5.tmp

Filesize
1KB

MD5
c5bbfa3e6526b1cd51757faec2831f29

SHA1
f68fc7fc08286c56db5053a12a77c9212abb521b

SHA256
b6b80da3944a423eb7e1b53198f39afa7874afa62c0e0f8a97ed01a3cd0dfdcc

SHA512
4dab815a35c513eca629d298d3de5f4222bb7ba26a895bb237dc557938f98a4ce7969f4ea0197258b723f4663877324f585a05fef03e375ed7ef0daaa1d79b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kryif6aGvq.bat

Filesize
180B

MD5
2a66d87ec81a9b27e7654e7002585ea5

SHA1
4a8381ea65587c3e7c13daa349c07693511a3cfe

SHA256
363c6f172206d1cadb28e4b66443e74b6771bf973d44c480e270c40dd8a505fc

SHA512
d4cbcf928b3ec5689f55f4c93a8129d43aa6ece54f953539336bc98ace2a8fd8abdd5b3f3bb5964a1d5f63a1a8637e7eff94436809747b0b482bdf88ddcaaaea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d1utvkbc\d1utvkbc.0.cs

Filesize
397B

MD5
2468ae30845e15d75ac6af958874a2ff

SHA1
c2b66e77c27fa3f005682e181f81a5a8c5a6f836

SHA256
969c7796ec28627c8be4ef927a76f503b31f5567e3f6a9cd708c4e0e1fb2da84

SHA512
0fcbd1a307c100511996a21fdc2b85db55e135502450b2935b660f4f95fcacdfe5758a22d48afdc8f92c8df345d95eb39d375d30a279523b10c0494bd45e37ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d1utvkbc\d1utvkbc.cmdline

Filesize
235B

MD5
d32a2d90fbf57ee4ac46942177095f84

SHA1
dd11a0ba037e8bfb766fc29f27af8b80d8f4ab76

SHA256
bc97372c5ff1eba4092bb418e796826fa694d564f6503d13b1b4de30d06f84e7

SHA512
2d820aec25a7928df34bb6a80e60e8674a0edef3056d5175d3c5440e7b4eb1dc42bed706cea824fd61b210d93a4b851395c4a83f6cfe30149495860dabf2534b

Download Submit
\??\c:\Windows\System32\CSC828C0E18BD5434C89F65C9BB251D6F2.TMP

Filesize
1KB

MD5
f6b0cf33d40800ff7679b60ed7444811

SHA1
42a5e5c721ca22c13948e6ff98922dab96f8a9ef

SHA256
3a62ebbf47ddd57e7f21d7c6396d2b1fde922394d2d3e76de4ecc9912aaf274c

SHA512
c79cec62649ce22cb8a38b2bdd515c1f4d9fba2f9db5d650a158b3cc0d03caa6e78df72aa767a45d6719d02ed5dfe400f8efca07a8138bd391df49f04f147f00

Download Submit
memory/2956-13-0x0000000000AF0000-0x0000000000CCA000-memory.dmp

Filesize
1.9MB

Download
memory/2956-22-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

Filesize
48KB

Download
memory/2956-20-0x000000001C730000-0x000000001C748000-memory.dmp

Filesize
96KB

Download
memory/2956-18-0x000000001C780000-0x000000001C7D0000-memory.dmp

Filesize
320KB

Download
memory/2956-17-0x000000001C710000-0x000000001C72C000-memory.dmp

Filesize
112KB

Download
memory/2956-15-0x0000000002DC0000-0x0000000002DCE000-memory.dmp

Filesize
56KB

Download
memory/2956-12-0x00007FF8D8073000-0x00007FF8D8075000-memory.dmp

Filesize
8KB

Download