darktrack | 399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

General

Target

server.exe
Size

627KB
MD5

ccadb01dd1b49d0feb520c6bf7f819ef
SHA1

f0a859f869fe2c4c01541f7777be40b97fa8820d
SHA256

399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8
SHA512

82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

Score

10^/10

darktrack persistence rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\DtServ32.exe	family_darktrack
\Users\Admin\AppData\Roaming\DtServ32.exe	family_darktrack
C:\Users\Admin\AppData\Roaming\DtServ32.exe	family_darktrack
C:\Users\Admin\AppData\Roaming\DtServ32.exe	family_darktrack

Executes dropped EXE 1 IoCs

Processes:

DtServ32.exe

pid process

1996 DtServ32.exe
Loads dropped DLL 2 IoCs

Processes:

server.exe

pid process

2020 server.exe
2020 server.exe

pid	process
1996	DtServ32.exe

pid	process
2020	server.exe
2020	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtServ32sm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DtServ32.exe"	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DtServ32.exe

pid process

1996 DtServ32.exe

pid	process
1996	DtServ32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

server.exeDtServ32.exe

description	pid	process	target process
PID 2020 wrote to memory of 1564	2020	server.exe	cmd.exe
PID 2020 wrote to memory of 1564	2020	server.exe	cmd.exe
PID 2020 wrote to memory of 1564	2020	server.exe	cmd.exe
PID 2020 wrote to memory of 1564	2020	server.exe	cmd.exe
PID 2020 wrote to memory of 1996	2020	server.exe	DtServ32.exe
PID 2020 wrote to memory of 1996	2020	server.exe	DtServ32.exe
PID 2020 wrote to memory of 1996	2020	server.exe	DtServ32.exe
PID 2020 wrote to memory of 1996	2020	server.exe	DtServ32.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe
PID 1996 wrote to memory of 1956	1996	DtServ32.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\server.exe >> NUL
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Roaming\DtServ32.exe
  "C:\Users\Admin\AppData\Roaming\DtServ32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DtServ32.exe

MD5
ccadb01dd1b49d0feb520c6bf7f819ef

SHA1
f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256
399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

SHA512
82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

Download Submit
C:\Users\Admin\AppData\Roaming\DtServ32.exe

MD5
ccadb01dd1b49d0feb520c6bf7f819ef

SHA1
f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256
399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

SHA512
82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

Download Submit
\Users\Admin\AppData\Roaming\DtServ32.exe

MD5
ccadb01dd1b49d0feb520c6bf7f819ef

SHA1
f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256
399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

SHA512
82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

Download Submit
\Users\Admin\AppData\Roaming\DtServ32.exe

MD5
ccadb01dd1b49d0feb520c6bf7f819ef

SHA1
f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256
399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

SHA512
82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

Download Submit
memory/1564-61-0x0000000000000000-mapping.dmp

Download
memory/1956-67-0x0000000000000000-mapping.dmp

Download
memory/1956-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads