dcrat | fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe
Size

1.8MB
MD5

4f66bbfed3a524398bd0267ed974ccbc
SHA1

b2567397dc823412d87a23428c7833ff74586b7d
SHA256

fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512

bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
SSDEEP

49152:q3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN:q3cvY0Z8pGWwfhyxOrUsN

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	2152	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2152	schtasks.exe	81

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Medal.exe

Executes dropped EXE 1 IoCs

pid	Process
4644	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe	Medal.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\27d1bcfc3c54e0	Medal.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe	Medal.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\9e8d7a4ca61bd9	Medal.exe
File created	C:\Program Files (x86)\Windows Sidebar\SearchApp.exe	Medal.exe
File created	C:\Program Files (x86)\Windows Sidebar\38384e6a620884	Medal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	Medal.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4068	schtasks.exe
1684	schtasks.exe
2732	schtasks.exe
3808	schtasks.exe
1668	schtasks.exe
2884	schtasks.exe
2292	schtasks.exe
2168	schtasks.exe
1444	schtasks.exe
4752	schtasks.exe
2112	schtasks.exe
3928	schtasks.exe
1860	schtasks.exe
3380	schtasks.exe
2328	schtasks.exe
2336	schtasks.exe
2924	schtasks.exe
3860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe
4296	Medal.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4644	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	Medal.exe
Token: SeDebugPrivilege	4644	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 2980	4296	Medal.exe	100
PID 4296 wrote to memory of 2980	4296	Medal.exe	100
PID 2980 wrote to memory of 3064	2980	cmd.exe	102
PID 2980 wrote to memory of 3064	2980	cmd.exe	102
PID 2980 wrote to memory of 560	2980	cmd.exe	103
PID 2980 wrote to memory of 560	2980	cmd.exe	103
PID 2980 wrote to memory of 4644	2980	cmd.exe	107
PID 2980 wrote to memory of 4644	2980	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8iOwV1zjuT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3064
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:560
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe

Filesize
1.8MB

MD5
4f66bbfed3a524398bd0267ed974ccbc

SHA1
b2567397dc823412d87a23428c7833ff74586b7d

SHA256
fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

SHA512
bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8iOwV1zjuT.bat

Filesize
247B

MD5
36992da5e4aa84fe6e06c34f595696b4

SHA1
d8324a22e82933a315ac280e615bb3994dd33945

SHA256
2ab8e2f008d27c70d1ee5c6b81cd9f524a46ee724ab77790f87ff21fdc0542a4

SHA512
445ad21cfac9d8c77a022187d6720d9c9d2ce9863ba32664ae1dd68897588b98206db42703d4696e1a53b45c1df6857f340e5010569f873bbe9aa7bbc7fdc965

Download Submit
memory/4296-10-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/4296-15-0x0000000002970000-0x000000000297E000-memory.dmp

Filesize
56KB

Download
memory/4296-4-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-6-0x0000000002960000-0x000000000296E000-memory.dmp

Filesize
56KB

Download
memory/4296-7-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-8-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-0-0x00007FFEE45B3000-0x00007FFEE45B5000-memory.dmp

Filesize
8KB

Download
memory/4296-11-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/4296-13-0x000000001B3F0000-0x000000001B408000-memory.dmp

Filesize
96KB

Download
memory/4296-3-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-16-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-23-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-24-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-2-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-33-0x00007FFEE45B0000-0x00007FFEE5072000-memory.dmp

Filesize
10.8MB

Download
memory/4296-1-0x00000000006D0000-0x00000000008AE000-memory.dmp

Filesize
1.9MB

Download
memory/4644-40-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download