Overview

overview

10

Static

static

10

cf40b5e233...ef.exe

windows7-x64

10

cf40b5e233...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf40b5e2332d76b97a1a1a18f89b68ef.exe

  • Size

    769KB

  • MD5

    cf40b5e2332d76b97a1a1a18f89b68ef

  • SHA1

    2c352c7e4521570c3cd7c99a35b715feed866f03

  • SHA256

    e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

  • SHA512

    27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

  • SSDEEP

    12288:CvTnXW/cYwVIB/6f/iJJMA+opW3Ari4VVyZC0+1ctHNt8KF4AXDYZ6:CvTn2whf/MJMA+o3iE0n3a6

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe
    "C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\re5kryin\re5kryin.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD021.tmp" "c:\Windows\System32\CSCF701790E39C6404B9E3082BF613F6E8E.TMP"
        3⤵
          PID:3472
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6E3nLFscIq.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1936
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2004
            • C:\Recovery\WindowsRE\sppsvc.exe
              "C:\Recovery\WindowsRE\sppsvc.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4936
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\CHT\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\CHT\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68ef" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Download\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\it-IT\MusNotification.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\MusNotification.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\MusNotification.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68ef" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4556

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe\winlogon.exe
          Filesize

          769KB

          MD5

          cf40b5e2332d76b97a1a1a18f89b68ef

          SHA1

          2c352c7e4521570c3cd7c99a35b715feed866f03

          SHA256

          e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

          SHA512

          27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6E3nLFscIq.bat
          Filesize

          208B

          MD5

          387b25cf7cfe8231ab4806fe8928b5c1

          SHA1

          78ef3b6361e912dee0e466c42563e06d55646ea1

          SHA256

          b46461fda3732908c94e01d21d6f6b546022c8d27f3bee5c9cd74aa875e8f55f

          SHA512

          634b41a33f4c5c9085619d55c9677487af636b26e52c766c597a44112b2738ed5fdc616fad8c19d8fa4d30c709033a4e136a5755bad8fcf3892b2f46cf7bc11f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESD021.tmp
          Filesize

          1KB

          MD5

          5f887ced70ba0357d0a5c5265c242fb4

          SHA1

          2fb72fae4950c4c762b2e3aaca5d5f707430879d

          SHA256

          54672b47e5a0dcc26bcdbcf15cbb90e5e4b5b823424ed682991a202cd9083423

          SHA512

          ce5a3d976c25c902b71cbc953a39a65ff79e4fb6bbe45a800cfc94c385cbcbd47f4b36c35444b59a34c92acb9323aae76cb551739d2050cb5e111e3f54954b5a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\re5kryin\re5kryin.0.cs
          Filesize

          373B

          MD5

          1c7cefe30e79920ae48af414a4808596

          SHA1

          0e7c33bb2c88cfd9ef5831bca07dbcc7c001085a

          SHA256

          e55e1740bd5c6f87be4242753ce789ec2f73b4423578c27251aceb9bfeac3541

          SHA512

          a7232b75ddd51226a7b45101f1a1092b6e6d9d3f6bcb1e268bf32483dec174fcf2f326710ca3b3e1b91b8f6ff99038bbcfe38507aae4c27a598e231e77f88954

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\re5kryin\re5kryin.cmdline
          Filesize

          235B

          MD5

          5f022b2bcfddeee4bada43fedd1baa44

          SHA1

          9b16870375119fe43ef491ccb5e4dec019f5a920

          SHA256

          8587d77eb9a41d0e4857b5233d8d1110be443d72e5579ae99261107d04a9be63

          SHA512

          161e928c6053ef501e0c4e5979379cadb69eda47538e0a4137d83c96f1a2af741f1cc3f99c8f78c44fc45038b49cfa44b7df2d40e23c224165ac4eb913a70e11

          Download Submit

        • \??\c:\Windows\System32\CSCF701790E39C6404B9E3082BF613F6E8E.TMP
          Filesize

          1KB

          MD5

          72f89171a1931b941e3fcc281bfc549e

          SHA1

          9648145810bb8b9ecef682a8215a08065723852e

          SHA256

          b1858806d65859b1f0607bdb45b33cbc0745c496a45414b6833c94a5a792a938

          SHA512

          04e9a596bc2354251ef44848eb1662658b053fd6065369c8ca46f6c597516738d57efafe9669fb9d20dbe4b957d6afa379fc48a06c252260419a82de72e4cf8a

          Download Submit

        • memory/676-6-0x0000000002AC0000-0x0000000002ADC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/676-2-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-12-0x0000000002950000-0x000000000295C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/676-19-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-7-0x0000000002B30000-0x0000000002B80000-memory.dmp

          Filesize

          320KB

          Download

        • memory/676-25-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-9-0x0000000002AE0000-0x0000000002AF8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/676-4-0x0000000002940000-0x000000000294E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/676-10-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-0-0x00007FFF95D33000-0x00007FFF95D35000-memory.dmp

          Filesize

          8KB

          Download

        • memory/676-38-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-44-0x000000001B470000-0x000000001B4DB000-memory.dmp

          Filesize

          428KB

          Download

        • memory/676-45-0x00007FFF95D30000-0x00007FFF967F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/676-1-0x0000000000720000-0x00000000007E6000-memory.dmp

          Filesize

          792KB

          Download

        • memory/1996-54-0x000000001BD20000-0x000000001BD8B000-memory.dmp

          Filesize

          428KB

          Download