dcrat | 67a88132279e0e1d1febaa02fca35e77766d0adf1fefacda3c922174428a2f70

Analysis

max time kernel
118s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iagj6m.exe
Size

2.1MB
MD5

468eaabf32f5b160b19b6ccbd88fadae
SHA1

d8a2f93188429d790bd43f6dee836c96c287a57e
SHA256

67a88132279e0e1d1febaa02fca35e77766d0adf1fefacda3c922174428a2f70
SHA512

a7db93826a7193e7f4c890c180cb7a1cf71d12884b992cf29aa90faf3351c97f54797f5ecb52a91639219d707f8619c1d0ab04e663499ee6c4b281b2dd3780b6
SSDEEP

49152:IBJoehuClT3DpSX+KfJunl9CJ0ouJfK2CKaKWdIuqKs:yyehTLFFKonPJapIF

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
2676	powershell.exe
2040	powershell.exe
2364	powershell.exe
1576	powershell.exe
2644	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	Medal.exe
2328	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	cmd.exe
2136	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2F36EE035D0444079BF8E2C40809628.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\de-DE\cc11b995f2a76d	Medal.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	Medal.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	Medal.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\System.exe	Medal.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\System.exe	Medal.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\27d1bcfc3c54e0	Medal.exe
File created	C:\Program Files\Windows Mail\de-DE\winlogon.exe	Medal.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\services.exe	Medal.exe
File created	C:\Windows\de-DE\c5b4cb5e9653cc	Medal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iagj6m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2812	Medal.exe
2644	powershell.exe
1576	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	Medal.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2328	winlogon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2396	2588	iagj6m.exe	30
PID 2588 wrote to memory of 2396	2588	iagj6m.exe	30
PID 2588 wrote to memory of 2396	2588	iagj6m.exe	30
PID 2588 wrote to memory of 2396	2588	iagj6m.exe	30
PID 2396 wrote to memory of 2136	2396	WScript.exe	31
PID 2396 wrote to memory of 2136	2396	WScript.exe	31
PID 2396 wrote to memory of 2136	2396	WScript.exe	31
PID 2396 wrote to memory of 2136	2396	WScript.exe	31
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2812 wrote to memory of 2036	2812	Medal.exe	34
PID 2812 wrote to memory of 2036	2812	Medal.exe	34
PID 2812 wrote to memory of 2036	2812	Medal.exe	34
PID 2036 wrote to memory of 476	2036	csc.exe	36
PID 2036 wrote to memory of 476	2036	csc.exe	36
PID 2036 wrote to memory of 476	2036	csc.exe	36
PID 2812 wrote to memory of 2644	2812	Medal.exe	37
PID 2812 wrote to memory of 2644	2812	Medal.exe	37
PID 2812 wrote to memory of 2644	2812	Medal.exe	37
PID 2812 wrote to memory of 2676	2812	Medal.exe	38
PID 2812 wrote to memory of 2676	2812	Medal.exe	38
PID 2812 wrote to memory of 2676	2812	Medal.exe	38
PID 2812 wrote to memory of 2688	2812	Medal.exe	39
PID 2812 wrote to memory of 2688	2812	Medal.exe	39
PID 2812 wrote to memory of 2688	2812	Medal.exe	39
PID 2812 wrote to memory of 2040	2812	Medal.exe	41
PID 2812 wrote to memory of 2040	2812	Medal.exe	41
PID 2812 wrote to memory of 2040	2812	Medal.exe	41
PID 2812 wrote to memory of 2364	2812	Medal.exe	42
PID 2812 wrote to memory of 2364	2812	Medal.exe	42
PID 2812 wrote to memory of 2364	2812	Medal.exe	42
PID 2812 wrote to memory of 1576	2812	Medal.exe	43
PID 2812 wrote to memory of 1576	2812	Medal.exe	43
PID 2812 wrote to memory of 1576	2812	Medal.exe	43
PID 2812 wrote to memory of 1276	2812	Medal.exe	49
PID 2812 wrote to memory of 1276	2812	Medal.exe	49
PID 2812 wrote to memory of 1276	2812	Medal.exe	49
PID 1276 wrote to memory of 1260	1276	cmd.exe	51
PID 1276 wrote to memory of 1260	1276	cmd.exe	51
PID 1276 wrote to memory of 1260	1276	cmd.exe	51
PID 1276 wrote to memory of 2116	1276	cmd.exe	52
PID 1276 wrote to memory of 2116	1276	cmd.exe	52
PID 1276 wrote to memory of 2116	1276	cmd.exe	52
PID 1276 wrote to memory of 2328	1276	cmd.exe	53
PID 1276 wrote to memory of 2328	1276	cmd.exe	53
PID 1276 wrote to memory of 2328	1276	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\iagj6m.exe
"C:\Users\Admin\AppData\Local\Temp\iagj6m.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Medal\VILORd6SoVoEmyMpC3WEu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Medal\xWGevBghcv54H0hXBv7583OlcwEyHK.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Medal\Medal.exe
      "C:\Medal/Medal.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45wiec3t\45wiec3t.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB29D.tmp" "c:\Windows\System32\CSC2F36EE035D0444079BF8E2C40809628.TMP"
        6⤵
        
        PID:476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WcSxuqw38S.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1260
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2116
      - C:\Program Files\Windows Mail\de-DE\winlogon.exe
        
        "C:\Program Files\Windows Mail\de-DE\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\VILORd6SoVoEmyMpC3WEu.vbe

Filesize
213B

MD5
7469cc785296b1098b2d6816c0140169

SHA1
081467bcc09dc566bdff78cd199e35a13fd188fe

SHA256
52a3703c926b912943a2a5e9e66ffb080d985237c92fd8b0beea41f37c028e1f

SHA512
ac69e60cef79a1699d28bd7b29fda647d2a285ff06bcb5be7be339311707872eff4e3b897f7da719fb7174efa7b72e764df6e9a7ce61afab4893cfc76655428d

Download Submit
C:\Medal\xWGevBghcv54H0hXBv7583OlcwEyHK.bat

Filesize
65B

MD5
f6c7cc62995e59628450f6b7e52837a3

SHA1
613a43f04cbd78f1d64343d66d9c41c2cd5d9f1d

SHA256
e5425359b32df369118a828185f523bdb19aee3039bdfab47d576e9b0903c3c3

SHA512
5b07a22c6afc546b15b573100538c3fc4a4b748860a5e3e37b02e93d75ed5c1a6d2cfc275e144b22d4327505719ff4c6aa65abb483472d352fc99694eaa0a89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB29D.tmp

Filesize
1KB

MD5
a369eb732be657a3422f860583453aed

SHA1
96ea6252e925b9cc9b109d685cfce1adb7e6eac1

SHA256
2e85f65e2854947b87fcc3e6136fc01c2bfa66d9a4a7038e83d6f5ca5ffcbea5

SHA512
b8bd4b26447faec0a370aa358888252b104655306069a27e6b50df91c605c29d04f79ea63e94945acf11b1b3ae384f076c5d282036383e8db2ef722a52fe3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcSxuqw38S.bat

Filesize
224B

MD5
ba478e7180c68ec2fcb03435f90f40fd

SHA1
6f21e4d2389bb57b099c2075c23c70090024a62d

SHA256
b29471878b90fbaf4bef3a1f064b9285d753f89557c852c0af8613f6803e6eed

SHA512
86da2c5a9b2c999673fad9520bca27d617278fae502a9e59bf1fc8b455f6a2a43eacfc338a275722d8040baacf6d8e844dd47084050d3d0863d4c8264a2f4aeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e473641482724d02f8ace6c447d340c9

SHA1
934ffbdd631427dd801a7d416274b59adb0f24f9

SHA256
f80f373e663d11b969456ed21b02226d8e806a42ab9b93bd5bf93a999d03d47a

SHA512
4021443728e7dc6c151ec7f2d77c68247651894ce3343612b483190bbe2f33ae5ec2900c6d1946de35cc4e89aee93ea49488bba9be23377faed51d166e795698

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45wiec3t\45wiec3t.0.cs

Filesize
383B

MD5
84505ae478d5873766aca94134519e5b

SHA1
cca1e5dbebeb5f1d6c24e9ddb834404878d9bd21

SHA256
be079ea3d1717d68fa6f720839fde0587c9420c46cbade1d3b91fb8cba6d9a1a

SHA512
2d8ba2ded31d1987c2ba40c7fde410915ee908a6a813ad823695d1e6fa6a0fad988e6b071967debe2fc00590295d03cf9ec1ec2561fd294dcfa02519baba00d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45wiec3t\45wiec3t.cmdline

Filesize
235B

MD5
4fae9c95a9cd71354dcfc30a2fe45d5c

SHA1
ad9a8904fb0e879d89c6c45827fe160779fde343

SHA256
d889520e05011d0cd8b4cfa68487db787eecf143794d2033cff238f1bb993b3d

SHA512
a9f5a4f13f6beb749ad95aa591f6183c958f1e05b1216742fd5eba7262d728496bcb8f845fc2cb8f8bb73cd551da69e47bfba26b786ea6b17ed4edbabb325d8a

Download Submit
\??\c:\Windows\System32\CSC2F36EE035D0444079BF8E2C40809628.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Medal\Medal.exe

Filesize
1.8MB

MD5
e27a4488cb35703f406fcf3a038a86c4

SHA1
926513f3ccca7cc4a86f281670cc9be1fdd4c613

SHA256
2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

SHA512
9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793

Download Submit
memory/2328-81-0x0000000001160000-0x000000000133A000-memory.dmp

Filesize
1.9MB

Download
memory/2644-57-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2644-61-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2812-21-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2812-19-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2812-17-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2812-15-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2812-13-0x0000000000F40000-0x000000000111A000-memory.dmp

Filesize
1.9MB

Download