Overview

overview

10

Static

static

3

Medal.exe

windows7-x64

10

Medal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Medal.exe

  • Size

    1.8MB

  • MD5

    e27a4488cb35703f406fcf3a038a86c4

  • SHA1

    926513f3ccca7cc4a86f281670cc9be1fdd4c613

  • SHA256

    2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

  • SHA512

    9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793

  • SSDEEP

    49152:nehuClT3DpSX+KfJunl9CJ0ouJfK2CKaKWdIuqK:nehTLFFKonPJapI

Score
10/10
dcratdiscoveryexecutioninfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Medal.exe
    "C:\Users\Admin\AppData\Local\Temp\Medal.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etpwnbft\etpwnbft.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE051.tmp" "c:\Windows\System32\CSCDE526CCACF942898FF62D98F7D26AD.TMP"
        3⤵
          PID:2784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sppsvc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Medal.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2888
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y0lLT4Oj4a.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:236
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1152
          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
            "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\MSBuild\sppsvc.exe
        Filesize

        1.8MB

        MD5

        e27a4488cb35703f406fcf3a038a86c4

        SHA1

        926513f3ccca7cc4a86f281670cc9be1fdd4c613

        SHA256

        2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

        SHA512

        9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESE051.tmp
        Filesize

        1KB

        MD5

        dfb34e1f4424f0374a694f7d75b3d01e

        SHA1

        fb9bce38ac37badc65dc4dfdc9a0e8a4cabf75d1

        SHA256

        ca9d0adee654caeb165ae3b0360f428aba4158424e69fda66a1c624ba1d70fde

        SHA512

        642b5276d53444c27d96459ab2ae2d0aa5e4f1ee2f7e192cda0dc04c288755032a9b6df9a388682b4c9a1c51ea7e04edd004df8a37928639d21b1ac9845da34a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Y0lLT4Oj4a.bat
        Filesize

        186B

        MD5

        787f606d6571181a666616d429c8b9d9

        SHA1

        a8e78736a565263f5e729c9dc9c1f6c0d350a510

        SHA256

        b5ebbf4d2a09afabf770c9d35b4ba4580956e8d506c3d6740d446f3b33b9c8e9

        SHA512

        47f7bf17a61500617f7813ba0f404f1a779d6a79479879ce9e8711600245e21b153e77f0590d273285616b1540bafc99a83d7be3c89facfe5f98c6b0a9cf9706

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        c062c889bc298a7070cb3360b395d257

        SHA1

        932f9a98043fa710c19e00073e69e6c5ec5f732d

        SHA256

        7deef762a1f3985055574f587eff8aedcbb25a20ff969bf67133e440534e254a

        SHA512

        f0a71f1e7d1917587b4178ef0824187c667509e78572ff3b8b0f620a71be25b933fb1edf4f9ae080ffe70d02c734d2219eef489e66ffd01f2bc108d1cf819108

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\etpwnbft\etpwnbft.0.cs
        Filesize

        367B

        MD5

        241bd9e341318017aa57903f760dff31

        SHA1

        fc01027739e323c5cff4cb35c566072bdcaeb20b

        SHA256

        79a98c1dca9f3a8c841745fb2449ebc4e863c99d6ad47fb6add9b2fe573db741

        SHA512

        be9a127939edfcfc73b51906ffc3904b2643f5d9dae17a8330ef53826073b3179768abdbe61153b706d97a6cef7d6f71da5a7d7f5eccb0a075dee9175666a530

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\etpwnbft\etpwnbft.cmdline
        Filesize

        235B

        MD5

        d8a1ed49ee54cc0749a772aeb4710f60

        SHA1

        d7149ee1c6ac06923a2608c2ad55c6139d8c5f2b

        SHA256

        61d5997c43d06333a781e6e8b8314d907439c6cc6844700e1560574a8fd21ce7

        SHA512

        230cc7083f831a40dbc0df4dd3b585364221178ab7ae0f45438253363b0358cf9a421315c666eefeab65ee8cf1b46c2ca43997abe6b1bfbc33c4774a8d20d8d1

        Download Submit

      • \??\c:\Windows\System32\CSCDE526CCACF942898FF62D98F7D26AD.TMP
        Filesize

        1KB

        MD5

        02b6f6024c0f35b2dfb735e30d40ea59

        SHA1

        9e28d1d16523aab5845e09fdecf27759375f9b5a

        SHA256

        17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

        SHA512

        a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

        Download Submit

      • memory/1920-8-0x0000000000650000-0x000000000066C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1920-4-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-14-0x0000000000610000-0x000000000061C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1920-16-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-12-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-11-0x0000000000670000-0x0000000000688000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1920-9-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1920-6-0x0000000000600000-0x000000000060E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1920-15-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-3-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1920-1-0x0000000001070000-0x000000000124A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1920-55-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2260-79-0x0000000001000000-0x00000000011DA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2780-54-0x0000000001F40000-0x0000000001F48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2780-53-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

        Filesize

        2.9MB

        Download