a2eb1bd8d9ebddb661200dc562a76a63.exe

General
Target

a2eb1bd8d9ebddb661200dc562a76a63.exe

Filesize

611KB

Completed

28-03-2021 21:28

Score
10 /10
MD5

a2eb1bd8d9ebddb661200dc562a76a63

SHA1

3f48a72352a35fc272fc6ce49d0a49370ac98859

SHA256

f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

Malware Config
Signatures 5

Filter: none

Discovery
  • DarkTrack

    Description

    DarkTrack is a remote administration tool written in delphi.

  • DarkTrack Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000200000001ab5a-5.datfamily_darktrack
    behavioral2/files/0x000200000001ab5a-4.datfamily_darktrack
  • Executes dropped EXE
    legit.exe

    Reported IOCs

    pidprocess
    188legit.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of WriteProcessMemory
    a2eb1bd8d9ebddb661200dc562a76a63.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1052 wrote to memory of 8561052a2eb1bd8d9ebddb661200dc562a76a63.execmd.exe
    PID 1052 wrote to memory of 8561052a2eb1bd8d9ebddb661200dc562a76a63.execmd.exe
    PID 1052 wrote to memory of 8561052a2eb1bd8d9ebddb661200dc562a76a63.execmd.exe
    PID 1052 wrote to memory of 1881052a2eb1bd8d9ebddb661200dc562a76a63.exelegit.exe
    PID 1052 wrote to memory of 1881052a2eb1bd8d9ebddb661200dc562a76a63.exelegit.exe
    PID 1052 wrote to memory of 1881052a2eb1bd8d9ebddb661200dc562a76a63.exelegit.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\a2eb1bd8d9ebddb661200dc562a76a63.exe
    "C:\Users\Admin\AppData\Local\Temp\a2eb1bd8d9ebddb661200dc562a76a63.exe"
    Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A2EB1B~1.EXE >> NUL
      PID:856
    • C:\Users\Admin\AppData\Roaming\legit.exe
      "C:\Users\Admin\AppData\Roaming\legit.exe"
      Executes dropped EXE
      PID:188
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\legit.exe

                          MD5

                          a2eb1bd8d9ebddb661200dc562a76a63

                          SHA1

                          3f48a72352a35fc272fc6ce49d0a49370ac98859

                          SHA256

                          f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

                          SHA512

                          276f56da79ef9e2ac28464e4da094993087a20a370dfd3e5b024a39de0fa0810b7bdd15fba91077d5d17faa09ea40b94839d73c3a8b41903a1e2949cca54486c

                        • C:\Users\Admin\AppData\Roaming\legit.exe

                          MD5

                          a2eb1bd8d9ebddb661200dc562a76a63

                          SHA1

                          3f48a72352a35fc272fc6ce49d0a49370ac98859

                          SHA256

                          f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

                          SHA512

                          276f56da79ef9e2ac28464e4da094993087a20a370dfd3e5b024a39de0fa0810b7bdd15fba91077d5d17faa09ea40b94839d73c3a8b41903a1e2949cca54486c

                        • memory/188-3-0x0000000000000000-mapping.dmp

                        • memory/856-2-0x0000000000000000-mapping.dmp