darktrack | f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

Analysis

Target

a2eb1bd8d9ebddb661200dc562a76a63.exe
Size

611KB
MD5

a2eb1bd8d9ebddb661200dc562a76a63
SHA1

3f48a72352a35fc272fc6ce49d0a49370ac98859
SHA256

f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9
SHA512

276f56da79ef9e2ac28464e4da094993087a20a370dfd3e5b024a39de0fa0810b7bdd15fba91077d5d17faa09ea40b94839d73c3a8b41903a1e2949cca54486c

Score

10^/10

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000200000001ab5a-5.dat	family_darktrack
behavioral2/files/0x000200000001ab5a-4.dat	family_darktrack

Executes dropped EXE 1 IoCs

Processes:

legit.exe

pid	Process
188	legit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a2eb1bd8d9ebddb661200dc562a76a63.exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 856	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	76
PID 1052 wrote to memory of 856	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	76
PID 1052 wrote to memory of 856	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	76
PID 1052 wrote to memory of 188	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	78
PID 1052 wrote to memory of 188	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	78
PID 1052 wrote to memory of 188	1052	a2eb1bd8d9ebddb661200dc562a76a63.exe	78

C:\Users\Admin\AppData\Local\Temp\a2eb1bd8d9ebddb661200dc562a76a63.exe
"C:\Users\Admin\AppData\Local\Temp\a2eb1bd8d9ebddb661200dc562a76a63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A2EB1B~1.EXE >> NUL
  2⤵
  PID:856
- C:\Users\Admin\AppData\Roaming\legit.exe
  "C:\Users\Admin\AppData\Roaming\legit.exe"
  2⤵
  - Executes dropped EXE
  PID:188

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\legit.exe

MD5
a2eb1bd8d9ebddb661200dc562a76a63

SHA1
3f48a72352a35fc272fc6ce49d0a49370ac98859

SHA256
f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

SHA512
276f56da79ef9e2ac28464e4da094993087a20a370dfd3e5b024a39de0fa0810b7bdd15fba91077d5d17faa09ea40b94839d73c3a8b41903a1e2949cca54486c

Download Submit
C:\Users\Admin\AppData\Roaming\legit.exe

MD5
a2eb1bd8d9ebddb661200dc562a76a63

SHA1
3f48a72352a35fc272fc6ce49d0a49370ac98859

SHA256
f1a58944929b74a4b66d98c5ffb19a830cea082c7a3058bb2e8e8adeac2c83e9

SHA512
276f56da79ef9e2ac28464e4da094993087a20a370dfd3e5b024a39de0fa0810b7bdd15fba91077d5d17faa09ea40b94839d73c3a8b41903a1e2949cca54486c

Download Submit
memory/188-3-0x0000000000000000-mapping.dmp

Download
memory/856-2-0x0000000000000000-mapping.dmp

Download