dcrat | fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

Analysis

max time kernel
120s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe
Size

1.8MB
MD5

4f66bbfed3a524398bd0267ed974ccbc
SHA1

b2567397dc823412d87a23428c7833ff74586b7d
SHA256

fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512

bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
SSDEEP

49152:q3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN:q3cvY0Z8pGWwfhyxOrUsN

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2748	schtasks.exe	30

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\wininit.exe	Medal.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\56085415360792	Medal.exe
File created	C:\Program Files\Windows NT\TableTextService\spoolsv.exe	Medal.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\spoolsv.exe	Medal.exe
File created	C:\Program Files\Windows NT\TableTextService\f3b6ecef712a24	Medal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2988	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2988	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
2652	schtasks.exe
1136	schtasks.exe
2024	schtasks.exe
2016	schtasks.exe
2628	schtasks.exe
2296	schtasks.exe
2436	schtasks.exe
2668	schtasks.exe
2712	schtasks.exe
484	schtasks.exe
2916	schtasks.exe
2288	schtasks.exe
688	schtasks.exe
2940	schtasks.exe
2920	schtasks.exe
356	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe
1620	Medal.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	Medal.exe
Token: SeDebugPrivilege	600	Medal.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1960	1620	Medal.exe	50
PID 1620 wrote to memory of 1960	1620	Medal.exe	50
PID 1620 wrote to memory of 1960	1620	Medal.exe	50
PID 1960 wrote to memory of 2872	1960	cmd.exe	52
PID 1960 wrote to memory of 2872	1960	cmd.exe	52
PID 1960 wrote to memory of 2872	1960	cmd.exe	52
PID 1960 wrote to memory of 2988	1960	cmd.exe	53
PID 1960 wrote to memory of 2988	1960	cmd.exe	53
PID 1960 wrote to memory of 2988	1960	cmd.exe	53
PID 1960 wrote to memory of 600	1960	cmd.exe	54
PID 1960 wrote to memory of 600	1960	cmd.exe	54
PID 1960 wrote to memory of 600	1960	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uECK7tFzcH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2872
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\Medal.exe
    "C:\Users\Admin\AppData\Local\Temp\Medal.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uECK7tFzcH.bat

Filesize
171B

MD5
03843fa2ad66a304f3babbbbb81d5891

SHA1
64892d2a7ebe5ad906a4932d07f9c938f96bd45f

SHA256
41658dc557aaec6e415c531496c121fe11c4fc52a2e5d16a868d6b6ccf288d9e

SHA512
37e98ef821a9184400eaa7b57dfd5235ea63d92e5ab26947782781f400cc88484e8f66163ce57bf7fddb7539d810150913862b45d339cc17836ccbf9eb53ccd9

Download Submit
C:\Users\Public\services.exe

Filesize
1.8MB

MD5
4f66bbfed3a524398bd0267ed974ccbc

SHA1
b2567397dc823412d87a23428c7833ff74586b7d

SHA256
fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

SHA512
bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

Download Submit
memory/600-35-0x0000000000C30000-0x0000000000E0E000-memory.dmp

Filesize
1.9MB

Download
memory/1620-10-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1620-14-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1620-5-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-8-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-7-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1620-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/1620-12-0x0000000002000000-0x0000000002018000-memory.dmp

Filesize
96KB

Download
memory/1620-4-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-3-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-26-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-27-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-28-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-34-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-1-0x00000000001A0000-0x000000000037E000-memory.dmp

Filesize
1.9MB

Download