Overview

overview

10

Static

static

10

cf40b5e233...ef.exe

windows7-x64

10

cf40b5e233...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2025 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf40b5e2332d76b97a1a1a18f89b68ef.exe

  • Size

    769KB

  • MD5

    cf40b5e2332d76b97a1a1a18f89b68ef

  • SHA1

    2c352c7e4521570c3cd7c99a35b715feed866f03

  • SHA256

    e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

  • SHA512

    27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

  • SSDEEP

    12288:CvTnXW/cYwVIB/6f/iJJMA+opW3Ari4VVyZC0+1ctHNt8KF4AXDYZ6:CvTn2whf/MJMA+o3iE0n3a6

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs
    rat
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe
    "C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3i2qhqys\3i2qhqys.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDCA.tmp" "c:\Windows\System32\CSC920C30F96D5D4FAE83F09791FE4B3085.TMP"
        3⤵
          PID:2780
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dZ6xhJ027p.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2296
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2484
            • C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe
              "C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68ef" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68ef" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2488

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESCDCA.tmp
          Filesize

          1KB

          MD5

          eae05d999e19817f9e053d1f91ba4eee

          SHA1

          8423d708773ced1086422709d9799bf614df3dec

          SHA256

          d0ace223154e1389dd946ac207f16126b31a549c45069035b5469c830c09f1c5

          SHA512

          b0a647680c6de7d109ef9737b9adbaad1d11fbb823fd43a69e02615111a28de6ad5c348351fb81143653308fac622f959506e2d3ef56d5dc1e8fa867303a6dac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dZ6xhJ027p.bat
          Filesize

          246B

          MD5

          8895fefecc27ef1919c98e4ee28a0e4b

          SHA1

          18466f023c474af995f154a952e2d8577aa028c8

          SHA256

          44a8274a4096afb228c2640a77b744ee8b487a58c355f8266dbadf9290a54e30

          SHA512

          9e8a458b9ed1d16c869cbd37e081e9df71276d3857b93fb4146fb872516576f9fd6ebd92db92fa62e53d16806367f2b0c8cc6c21c3e01dd7ffac1cfc00b965eb

          Download Submit

        • C:\Windows\SoftwareDistribution\DataStore\Logs\lsass.exe
          Filesize

          769KB

          MD5

          cf40b5e2332d76b97a1a1a18f89b68ef

          SHA1

          2c352c7e4521570c3cd7c99a35b715feed866f03

          SHA256

          e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

          SHA512

          27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\3i2qhqys\3i2qhqys.0.cs
          Filesize

          388B

          MD5

          2678aca62e5548e53e1697f5548292fd

          SHA1

          c5dbbe6f6f7b756f3015664dc7351bc35013b2c9

          SHA256

          347295ffa0c99ad9c524984b66b3751206aee917b45bbb8c17c2dd831f3f491a

          SHA512

          8ef4101fbe572f8f276bc90ea3db6d3f76083a7803b61f514d8d54c5524a5e4966769911d9a3373ec37eecf5dc52b08d17fff4c7123af3609208baecffa01310

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\3i2qhqys\3i2qhqys.cmdline
          Filesize

          235B

          MD5

          435a0b9f5639fabdfa3378399c7f4d8c

          SHA1

          a15c60db307719f8823179a5313aee95877622c3

          SHA256

          911ccf4f960afe3fe5d96d24ee9785293ecd5338c2c867e0494e9881f44e61c7

          SHA512

          c741065c695f78b0986213ef004dffc1b0a2d87f2dcb5939bfc2ec70ebb1719e10a3bd42b948b2ced3d0fa826ea96600e3c725f1bdbe572a1889de0237e8ead3

          Download Submit

        • \??\c:\Windows\System32\CSC920C30F96D5D4FAE83F09791FE4B3085.TMP
          Filesize

          1KB

          MD5

          8c85ef91c6071d33745325a8fa351c3e

          SHA1

          e3311ceef28823eec99699cc35be27c94eca52d2

          SHA256

          8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

          SHA512

          2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

          Download Submit

        • memory/1780-44-0x00000000009D0000-0x0000000000A96000-memory.dmp

          Filesize

          792KB

          Download

        • memory/3044-6-0x0000000000570000-0x000000000058C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3044-13-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-11-0x0000000000550000-0x000000000055C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3044-24-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-25-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-7-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-9-0x0000000000590000-0x00000000005A8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3044-0-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3044-4-0x0000000000540000-0x000000000054E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3044-2-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-43-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3044-1-0x0000000000260000-0x0000000000326000-memory.dmp

          Filesize

          792KB

          Download