Overview

overview

10

Static

static

3

Medal.exe

windows10-ltsc 2021-x64

10

Medal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Medal.exe

  • Size

    1.8MB

  • MD5

    4f66bbfed3a524398bd0267ed974ccbc

  • SHA1

    b2567397dc823412d87a23428c7833ff74586b7d

  • SHA256

    fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

  • SHA512

    bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

  • SSDEEP

    49152:q3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN:q3cvY0Z8pGWwfhyxOrUsN

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Medal.exe
    "C:\Users\Admin\AppData\Local\Temp\Medal.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DUaIzNqUdT.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4364
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2644
        • C:\Recovery\WindowsRE\Registry.exe
          "C:\Recovery\WindowsRE\Registry.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Google\Chrome\Application\winlogon.exe
      Filesize

      1.8MB

      MD5

      4f66bbfed3a524398bd0267ed974ccbc

      SHA1

      b2567397dc823412d87a23428c7833ff74586b7d

      SHA256

      fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

      SHA512

      bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DUaIzNqUdT.bat
      Filesize

      162B

      MD5

      397719dcf08f0d0b65b85227022d490d

      SHA1

      fced223601fcf5f39b6704bed988abb601b530a7

      SHA256

      4b2dc4d2591d68e00a85f87bf2f8740d73f7524f8ed2debc5b62ecf4793e3e38

      SHA512

      df4eee91d132ad07ee9a8cccc30d2012d12e14709317a0cf8909a18f2a14dc7bfec49a563edd255fc55c5737fcdafbea519dd3e1664f69cffe187423ab06bc32

      Download Submit

    • memory/3360-6-0x00000000023A0000-0x00000000023AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3360-15-0x00000000023F0000-0x00000000023FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3360-4-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-0-0x00007FFEBCFA3000-0x00007FFEBCFA5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3360-7-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-8-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-10-0x0000000002420000-0x000000000243C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3360-11-0x000000001AFC0000-0x000000001B010000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3360-13-0x000000001AF20000-0x000000001AF38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3360-3-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-18-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-16-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-23-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-2-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-30-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-31-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-32-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-1-0x0000000000110000-0x00000000002EE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3360-39-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

      Filesize

      10.8MB

      Download