dcrat | fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe
Size

1.8MB
MD5

4f66bbfed3a524398bd0267ed974ccbc
SHA1

b2567397dc823412d87a23428c7833ff74586b7d
SHA256

fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512

bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
SSDEEP

49152:q3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN:q3cvY0Z8pGWwfhyxOrUsN

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3760	schtasks.exe	83

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Medal.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	OfficeClickToRun.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	Medal.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe	Medal.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\SppExtComObj.exe	Medal.exe
File created	C:\Program Files\Uninstall Information\sysmon.exe	Medal.exe
File created	C:\Program Files\Uninstall Information\121e5b5079f7c0	Medal.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	Medal.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f	Medal.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\56085415360792	Medal.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\e1ef82546f0b02	Medal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Medal.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
448	schtasks.exe
2104	schtasks.exe
4996	schtasks.exe
3440	schtasks.exe
3272	schtasks.exe
4548	schtasks.exe
1968	schtasks.exe
3380	schtasks.exe
1772	schtasks.exe
4784	schtasks.exe
2412	schtasks.exe
3088	schtasks.exe
1176	schtasks.exe
2508	schtasks.exe
2000	schtasks.exe
1524	schtasks.exe
1880	schtasks.exe
4264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3996	Medal.exe
3028	OfficeClickToRun.exe
3028	OfficeClickToRun.exe
3028	OfficeClickToRun.exe
3028	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	Medal.exe
Token: SeDebugPrivilege	3028	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4300	3996	Medal.exe	102
PID 3996 wrote to memory of 4300	3996	Medal.exe	102
PID 4300 wrote to memory of 536	4300	cmd.exe	104
PID 4300 wrote to memory of 536	4300	cmd.exe	104
PID 4300 wrote to memory of 8	4300	cmd.exe	105
PID 4300 wrote to memory of 8	4300	cmd.exe	105
PID 4300 wrote to memory of 3028	4300	cmd.exe	107
PID 4300 wrote to memory of 3028	4300	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wgarHkTCwn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:536
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:8
- - C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\sysmon.exe

Filesize
1.8MB

MD5
4f66bbfed3a524398bd0267ed974ccbc

SHA1
b2567397dc823412d87a23428c7833ff74586b7d

SHA256
fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

SHA512
bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgarHkTCwn.bat

Filesize
199B

MD5
b6e1920f5f9c1ae365762e8bef9dafe8

SHA1
2e35eb99a556275881c77b4faf328e4090a78c59

SHA256
d208989201612d18393c60405b69dc05c6effa75010cb2b4460a814c69b21fd5

SHA512
e6183641342a0a953493d0c12bd028c06e7e57f45480c0c7c8fc933b214d095d46f4202f3522a4b36b67358c8b125bf04b77d41657df8a5d94357d0aa354d853

Download Submit
memory/3028-47-0x000000001D9C0000-0x000000001DAD5000-memory.dmp

Filesize
1.1MB

Download
memory/3996-15-0x0000000002C30000-0x0000000002C3E000-memory.dmp

Filesize
56KB

Download
memory/3996-16-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-6-0x0000000002BE0000-0x0000000002BEE000-memory.dmp

Filesize
56KB

Download
memory/3996-7-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-9-0x0000000002C70000-0x0000000002C8C000-memory.dmp

Filesize
112KB

Download
memory/3996-10-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/3996-12-0x0000000002C90000-0x0000000002CA8000-memory.dmp

Filesize
96KB

Download
memory/3996-0-0x00007FFD8F053000-0x00007FFD8F055000-memory.dmp

Filesize
8KB

Download
memory/3996-13-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-4-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-3-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-28-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-29-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-30-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-31-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-32-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-38-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-2-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

Filesize
10.8MB

Download
memory/3996-1-0x0000000000940000-0x0000000000B1E000-memory.dmp

Filesize
1.9MB

Download