Overview

overview

10

Static

static

583DE02EC7...BD.exe

windows7_x64

10

583DE02EC7...BD.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    583DE02EC747F0316FB7B0E59BD858BD.exe

  • Size

    3.2MB

  • MD5

    583de02ec747f0316fb7b0e59bd858bd

  • SHA1

    89e8b166e20db07846b4abcf81ff69c72e8a87ab

  • SHA256

    777a1b5eb79e751f4684f825ef2a5df80433a2d4e20f921d4f747e904793f3d2

  • SHA512

    f20189cc020395a6e4f8ad639912e0ba9750431ed03487f4f22ab016e1ea260782607c52e499a3d31e6d0793ef3aa847cf0027372c82882c465b785308362492

Score
10/10
darktrackpersistenceratstealer

Malware Config

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\583DE02EC747F0316FB7B0E59BD858BD.exe
    "C:\Users\Admin\AppData\Local\Temp\583DE02EC747F0316FB7B0E59BD858BD.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:3220
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\server.exe >> NUL
          3⤵
            PID:4060
          • C:\Users\Admin\AppData\Roaming\DtServ32.exe
            "C:\Users\Admin\AppData\Roaming\DtServ32.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              4⤵
                PID:512
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                4⤵
                • Adds Run key to start application
                PID:640

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\server.exe
          MD5

          eab859092958653767665cf47be684ce

          SHA1

          15a8de33ed414584c5ed2c3fc5372d96538a562c

          SHA256

          7d8657f721a178f803e5d86d6425db7d79b85bff386c058d07d20a3cfa2f3b6f

          SHA512

          ccd340ea6aaa622b5d0af84b63760557284cd39c4736b6c87faa0cbd73ce8503dfb8b8c8ac11b696d218be470630467c16cab89fb6a95fd626735438db0a2353

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\server.exe
          MD5

          eab859092958653767665cf47be684ce

          SHA1

          15a8de33ed414584c5ed2c3fc5372d96538a562c

          SHA256

          7d8657f721a178f803e5d86d6425db7d79b85bff386c058d07d20a3cfa2f3b6f

          SHA512

          ccd340ea6aaa622b5d0af84b63760557284cd39c4736b6c87faa0cbd73ce8503dfb8b8c8ac11b696d218be470630467c16cab89fb6a95fd626735438db0a2353

          Download Submit

        • C:\Users\Admin\AppData\Roaming\DtServ32.exe
          MD5

          eab859092958653767665cf47be684ce

          SHA1

          15a8de33ed414584c5ed2c3fc5372d96538a562c

          SHA256

          7d8657f721a178f803e5d86d6425db7d79b85bff386c058d07d20a3cfa2f3b6f

          SHA512

          ccd340ea6aaa622b5d0af84b63760557284cd39c4736b6c87faa0cbd73ce8503dfb8b8c8ac11b696d218be470630467c16cab89fb6a95fd626735438db0a2353

          Download Submit

        • C:\Users\Admin\AppData\Roaming\DtServ32.exe
          MD5

          eab859092958653767665cf47be684ce

          SHA1

          15a8de33ed414584c5ed2c3fc5372d96538a562c

          SHA256

          7d8657f721a178f803e5d86d6425db7d79b85bff386c058d07d20a3cfa2f3b6f

          SHA512

          ccd340ea6aaa622b5d0af84b63760557284cd39c4736b6c87faa0cbd73ce8503dfb8b8c8ac11b696d218be470630467c16cab89fb6a95fd626735438db0a2353

          Download Submit

        • memory/512-21-0x0000000000000000-mapping.dmp

          Download

        • memory/640-24-0x0000000002F30000-0x0000000002F31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/640-23-0x0000000000000000-mapping.dmp

          Download

        • memory/2780-18-0x0000000000000000-mapping.dmp

          Download

        • memory/3220-15-0x0000000000000000-mapping.dmp

          Download

        • memory/3220-16-0x0000000002C20000-0x0000000002C21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4060-17-0x0000000000000000-mapping.dmp

          Download

        • memory/4180-7-0x0000000000000000-mapping.dmp

          Download

        • memory/4704-14-0x000000001B039000-0x000000001B03F000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4704-13-0x000000001B037000-0x000000001B039000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4704-12-0x000000001B035000-0x000000001B037000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4704-2-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4704-10-0x000000001B032000-0x000000001B034000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4704-11-0x000000001B034000-0x000000001B035000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4704-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4704-5-0x000000001B030000-0x000000001B032000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4704-3-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download