server.exe

General
Target

server.exe

Filesize

627KB

Completed

29-04-2021 22:00

Score
10 /10
MD5

ccadb01dd1b49d0feb520c6bf7f819ef

SHA1

f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256

399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • DarkTrack

    Description

    DarkTrack is a remote administration tool written in delphi.

  • DarkTrack Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130fd-63.datfamily_darktrack
    behavioral1/files/0x00040000000130fd-62.datfamily_darktrack
    behavioral1/files/0x00040000000130fd-65.datfamily_darktrack
    behavioral1/files/0x00040000000130fd-69.datfamily_darktrack
  • Executes dropped EXE
    DtServ32.exe

    Reported IOCs

    pidprocess
    1996DtServ32.exe
  • Loads dropped DLL
    server.exe

    Reported IOCs

    pidprocess
    2020server.exe
    2020server.exe
  • Adds Run key to start application
    notepad.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtServ32sm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DtServ32.exe"notepad.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: GetForegroundWindowSpam
    DtServ32.exe

    Reported IOCs

    pidprocess
    1996DtServ32.exe
  • Suspicious use of WriteProcessMemory
    server.exeDtServ32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2020 wrote to memory of 15642020server.execmd.exe
    PID 2020 wrote to memory of 15642020server.execmd.exe
    PID 2020 wrote to memory of 15642020server.execmd.exe
    PID 2020 wrote to memory of 15642020server.execmd.exe
    PID 2020 wrote to memory of 19962020server.exeDtServ32.exe
    PID 2020 wrote to memory of 19962020server.exeDtServ32.exe
    PID 2020 wrote to memory of 19962020server.exeDtServ32.exe
    PID 2020 wrote to memory of 19962020server.exeDtServ32.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
    PID 1996 wrote to memory of 19561996DtServ32.exenotepad.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\server.exe >> NUL
      PID:1564
    • C:\Users\Admin\AppData\Roaming\DtServ32.exe
      "C:\Users\Admin\AppData\Roaming\DtServ32.exe"
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        Adds Run key to start application
        PID:1956
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • C:\Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • \Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • \Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • memory/1564-61-0x0000000000000000-mapping.dmp

                    • memory/1956-67-0x0000000000000000-mapping.dmp

                    • memory/1956-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

                    • memory/1996-64-0x0000000000000000-mapping.dmp

                    • memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmp