dcrat | 2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe
Size

1.8MB
MD5

e27a4488cb35703f406fcf3a038a86c4
SHA1

926513f3ccca7cc4a86f281670cc9be1fdd4c613
SHA256

2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b
SHA512

9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793
SSDEEP

49152:nehuClT3DpSX+KfJunl9CJ0ouJfK2CKaKWdIuqK:nehTLFFKonPJapI

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe
2680	powershell.exe
2636	powershell.exe
2624	powershell.exe
2600	powershell.exe
2588	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	sppsvc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\et-EE\csrss.exe	Medal.exe
File created	C:\Windows\System32\et-EE\886983d96e3d3e	Medal.exe
File created	\??\c:\Windows\System32\CSCB8653C586EC4CC78DE635EB43785FCF.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\explorer.exe	Medal.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\7a0fd90576e088	Medal.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1940	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe
2668	Medal.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	Medal.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1940	sppsvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2832	2668	Medal.exe	30
PID 2668 wrote to memory of 2832	2668	Medal.exe	30
PID 2668 wrote to memory of 2832	2668	Medal.exe	30
PID 2832 wrote to memory of 2672	2832	csc.exe	32
PID 2832 wrote to memory of 2672	2832	csc.exe	32
PID 2832 wrote to memory of 2672	2832	csc.exe	32
PID 2668 wrote to memory of 2588	2668	Medal.exe	33
PID 2668 wrote to memory of 2588	2668	Medal.exe	33
PID 2668 wrote to memory of 2588	2668	Medal.exe	33
PID 2668 wrote to memory of 2600	2668	Medal.exe	34
PID 2668 wrote to memory of 2600	2668	Medal.exe	34
PID 2668 wrote to memory of 2600	2668	Medal.exe	34
PID 2668 wrote to memory of 2624	2668	Medal.exe	35
PID 2668 wrote to memory of 2624	2668	Medal.exe	35
PID 2668 wrote to memory of 2624	2668	Medal.exe	35
PID 2668 wrote to memory of 2636	2668	Medal.exe	36
PID 2668 wrote to memory of 2636	2668	Medal.exe	36
PID 2668 wrote to memory of 2636	2668	Medal.exe	36
PID 2668 wrote to memory of 2680	2668	Medal.exe	37
PID 2668 wrote to memory of 2680	2668	Medal.exe	37
PID 2668 wrote to memory of 2680	2668	Medal.exe	37
PID 2668 wrote to memory of 3040	2668	Medal.exe	39
PID 2668 wrote to memory of 3040	2668	Medal.exe	39
PID 2668 wrote to memory of 3040	2668	Medal.exe	39
PID 2668 wrote to memory of 1712	2668	Medal.exe	45
PID 2668 wrote to memory of 1712	2668	Medal.exe	45
PID 2668 wrote to memory of 1712	2668	Medal.exe	45
PID 1712 wrote to memory of 2112	1712	cmd.exe	47
PID 1712 wrote to memory of 2112	1712	cmd.exe	47
PID 1712 wrote to memory of 2112	1712	cmd.exe	47
PID 1712 wrote to memory of 2088	1712	cmd.exe	48
PID 1712 wrote to memory of 2088	1712	cmd.exe	48
PID 1712 wrote to memory of 2088	1712	cmd.exe	48
PID 1712 wrote to memory of 1940	1712	cmd.exe	49
PID 1712 wrote to memory of 1940	1712	cmd.exe	49
PID 1712 wrote to memory of 1940	1712	cmd.exe	49
PID 1712 wrote to memory of 1940	1712	cmd.exe	49
PID 1712 wrote to memory of 1940	1712	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bndyq3e2\bndyq3e2.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DAC.tmp" "c:\Windows\System32\CSCB8653C586EC4CC78DE635EB43785FCF.TMP"
    3⤵
    PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\et-EE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Medal.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b74MxpxoI5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2112
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2088
- - C:\MSOCache\All Users\sppsvc.exe
    "C:\MSOCache\All Users\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3DAC.tmp

Filesize
1KB

MD5
559689d7e29936af90106f7a36f61600

SHA1
0bc2ebd5dbe93314ea7fc411c40ac02296bff6fa

SHA256
bccbbefa552b9bf38124a405a4881a48ddfe98e8eebcfd6994202c587b0fc9f4

SHA512
a8ab7569490c5ebdc613ae71bdd4d54adc65d5e34d4613f684fbb233cb5130ff79a689dcdb2b31dd895c39684ae38fcb31e7626015986ad64ecacdd30317f694

Download Submit
C:\Users\Admin\AppData\Local\Temp\b74MxpxoI5.bat

Filesize
160B

MD5
875add3c420410a3d573ed9bd17241e0

SHA1
363336842a67a435bf10bf1002cb012984928cd8

SHA256
ce260e52f213fc5184343d75c3ae85cf9fe41252cbaaabb19d868220230a4d4e

SHA512
8bd442945ec93bda1dc3dae7e0a288842e08d5dda2ac5b410bf8a93a359b6e36e765ce1cc5a7a5502be0f2de25013b129bf1561b85393b1a7f567c445b3cea15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0a9f6f6767deb685dd4dc92d90bce8a3

SHA1
e512dc0292cc01d3f2bd6ec2bdd1dee5d2f7c5ea

SHA256
d05ad2fd8c345a38ce84c171f00e30c15857a29a356710f24353ce282c79adae

SHA512
7c3284ac256bc866ae14915ec74fbadb7aa37df6f65b788ab62d65f7b295d54d9c6331d10c3f4ba81ac962ab200228056678f3565428f4530a2d1bdb3c804f47

Download Submit
C:\Windows\System32\et-EE\csrss.exe

Filesize
1.8MB

MD5
e27a4488cb35703f406fcf3a038a86c4

SHA1
926513f3ccca7cc4a86f281670cc9be1fdd4c613

SHA256
2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

SHA512
9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bndyq3e2\bndyq3e2.0.cs

Filesize
367B

MD5
47523aac48afcb8c5623809eb295abf6

SHA1
b34d9d243f0de54b759f6e545c7c539ff9a54afa

SHA256
14e8e9d7a09b57d41017626b094ab4a812d6d7de13bbfd6fa72e49a4cb53d96f

SHA512
8f3e6064d51754790145bbad528d42076e64e4549e9dad55624819732823b43116e9d2ff5e05c3b52f88160c5411ffc69d6fe954dae51593503ea21f7bdbf93b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bndyq3e2\bndyq3e2.cmdline

Filesize
235B

MD5
f4cd4f289d8519afe09d03bb39425f6c

SHA1
fae23ec03d9afc6d857b916b3d9c617bd66aaf49

SHA256
88699b3479762f3ca9dd9f47cf6537d989cce86a59e78250d1280a44257a437c

SHA512
1cf8a4eab599729975a273f46b82fd1668f894e321bef082143e16b94a40074584ef30238f8b876a3ec235218265f7583ea3532d680dc85d08303d6f49506423

Download Submit
\??\c:\Windows\System32\CSCB8653C586EC4CC78DE635EB43785FCF.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
memory/1940-80-0x0000000000AC0000-0x0000000000C9A000-memory.dmp

Filesize
1.9MB

Download
memory/2624-60-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2624-62-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2668-8-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/2668-9-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-26-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-27-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-28-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-13-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2668-11-0x0000000002000000-0x0000000002018000-memory.dmp

Filesize
96KB

Download
memory/2668-14-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2668-6-0x0000000000770000-0x000000000077E000-memory.dmp

Filesize
56KB

Download
memory/2668-54-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-4-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-3-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-2-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-1-0x00000000002C0000-0x000000000049A000-memory.dmp

Filesize
1.9MB

Download