Overview

overview

10

Static

static

10

cf40b5e233...ef.exe

windows7-x64

10

cf40b5e233...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf40b5e2332d76b97a1a1a18f89b68ef.exe

  • Size

    769KB

  • MD5

    cf40b5e2332d76b97a1a1a18f89b68ef

  • SHA1

    2c352c7e4521570c3cd7c99a35b715feed866f03

  • SHA256

    e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

  • SHA512

    27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

  • SSDEEP

    12288:CvTnXW/cYwVIB/6f/iJJMA+opW3Ari4VVyZC0+1ctHNt8KF4AXDYZ6:CvTn2whf/MJMA+o3iE0n3a6

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe
    "C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdn4trhf\vdn4trhf.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93C4.tmp" "c:\Windows\System32\CSC140186C38B3B4621B3BCA69C57DB79C4.TMP"
        3⤵
          PID:1132
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vi2IVPBbsr.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:3128
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:3200
            • C:\Program Files\Windows Security\BrowserCore\en-US\SearchApp.exe
              "C:\Program Files\Windows Security\BrowserCore\en-US\SearchApp.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\security\templates\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1484
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppReadiness\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68ef" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cf40b5e2332d76b97a1a1a18f89b68efc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\cf40b5e2332d76b97a1a1a18f89b68ef.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recovery\WindowsRE\taskhostw.exe
          Filesize

          769KB

          MD5

          cf40b5e2332d76b97a1a1a18f89b68ef

          SHA1

          2c352c7e4521570c3cd7c99a35b715feed866f03

          SHA256

          e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

          SHA512

          27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES93C4.tmp
          Filesize

          1KB

          MD5

          7caabfa754042fe7bee2eb20a2a3ac72

          SHA1

          b830d2d3304c073e295d0a421bff540fb7d133bf

          SHA256

          ce063bc3a9dce417f67615ce1e1bc3de89a938b6c9af2040c7c5c754e987b8c5

          SHA512

          9f3a481b55c3c2b5e1dfba6d40dbd3a0f002597896ce0553fe7e7a34180d4f472aaa6488f1653bb1e5ba862840f1fb890b507fb58e5fd9eb610572041928bc67

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vi2IVPBbsr.bat
          Filesize

          241B

          MD5

          56ec850faebe60ba1d61da2fa82c7c8f

          SHA1

          a32d6a43462bb6552af0867859bd914fdb1b5b3e

          SHA256

          dfc49a67b608589551a68e3e666c213243818919b20fa4df100f016dcf9e9934

          SHA512

          9dc02c310e3a3a82d424c8717f10d47cc6df90127540c82c37b5f84de14540240156e1f2accdaab7e1f52a2b46676bc20d71e9870800a0ee5f85ab659421de05

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\vdn4trhf\vdn4trhf.0.cs
          Filesize

          367B

          MD5

          a1b17192d2a3add0d1751c1149265fa6

          SHA1

          eee00ba83bcf1cb28675ba876da14d421349652d

          SHA256

          546ce4ff6e832bd82c5920733c5bd2d9bb224283c8a12925e294d50debf71d06

          SHA512

          5ea91f3b77af82dceb44dd4d1b737cb438079f96c89ba943cd7219d30a34a4cea40e3d8b60ee0ba0fca64fae78f4b27b514e8eae0e9e83fd4b1136b0d567309b

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\vdn4trhf\vdn4trhf.cmdline
          Filesize

          235B

          MD5

          4b9e9062aeda61263d27f6f316327795

          SHA1

          0db2ef4ccd9aa4444daf9a483cb0416fcb967d1f

          SHA256

          2cf9378fe8e49846752af83e3fc72075d0509b9bc83c97de1f377145e910e11f

          SHA512

          2c27a0f641fd63fed0a0120b59b04e26d7d6bacf9e8acfc8dd601fa0c7dfe5580fa43888ae81208a91d477e2338343525d16a3bbf49f625eb0d449c949d65e79

          Download Submit

        • \??\c:\Windows\System32\CSC140186C38B3B4621B3BCA69C57DB79C4.TMP
          Filesize

          1KB

          MD5

          5984679060d0fc54eba47cead995f65a

          SHA1

          f72bbbba060ac80ac6abedc7b8679e8963f63ebf

          SHA256

          4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

          SHA512

          bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

          Download Submit

        • memory/3124-26-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3124-4-0x0000000000E10000-0x0000000000E1E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3124-12-0x0000000000E20000-0x0000000000E2C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3124-13-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3124-7-0x0000000000E40000-0x0000000000E5C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3124-25-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3124-10-0x0000000000E60000-0x0000000000E78000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3124-5-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3124-8-0x00000000027A0000-0x00000000027F0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3124-0-0x00007FF81A2E3000-0x00007FF81A2E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3124-2-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3124-44-0x00000000027F0000-0x000000000283E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3124-1-0x0000000000590000-0x0000000000656000-memory.dmp

          Filesize

          792KB

          Download

        • memory/3124-46-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4000-54-0x000000001BE60000-0x000000001BEAE000-memory.dmp

          Filesize

          312KB

          Download