server.exe

General
Target

server.exe

Filesize

627KB

Completed

29-04-2021 22:00

Score
10 /10
MD5

ccadb01dd1b49d0feb520c6bf7f819ef

SHA1

f0a859f869fe2c4c01541f7777be40b97fa8820d

SHA256

399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • DarkTrack

    Description

    DarkTrack is a remote administration tool written in delphi.

  • DarkTrack Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000200000001ab3a-116.datfamily_darktrack
    behavioral2/files/0x000200000001ab3a-117.datfamily_darktrack
  • Executes dropped EXE
    DtServ32.exe

    Reported IOCs

    pidprocess
    3356DtServ32.exe
  • Adds Run key to start application
    notepad.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtServ32sm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DtServ32.exe"notepad.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: GetForegroundWindowSpam
    DtServ32.exe

    Reported IOCs

    pidprocess
    3356DtServ32.exe
  • Suspicious use of WriteProcessMemory
    server.exeDtServ32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 656 wrote to memory of 3080656server.execmd.exe
    PID 656 wrote to memory of 3080656server.execmd.exe
    PID 656 wrote to memory of 3080656server.execmd.exe
    PID 656 wrote to memory of 3356656server.exeDtServ32.exe
    PID 656 wrote to memory of 3356656server.exeDtServ32.exe
    PID 656 wrote to memory of 3356656server.exeDtServ32.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
    PID 3356 wrote to memory of 20283356DtServ32.exenotepad.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\server.exe >> NUL
      PID:3080
    • C:\Users\Admin\AppData\Roaming\DtServ32.exe
      "C:\Users\Admin\AppData\Roaming\DtServ32.exe"
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        Adds Run key to start application
        PID:2028
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • C:\Users\Admin\AppData\Roaming\DtServ32.exe

                      MD5

                      ccadb01dd1b49d0feb520c6bf7f819ef

                      SHA1

                      f0a859f869fe2c4c01541f7777be40b97fa8820d

                      SHA256

                      399b5ca1eee21d07a146800fbccb360c524171237b49b1fa415fbabd0c6b92e8

                      SHA512

                      82bbcdee9acf630fc8e1f15bafec31e2d7f6ac6f998006a4d64ea2b13c7d7a78f2fb51fa6f652ad65dab7e191fd8b17cda3b570ef0101374e1d1b0682932d77c

                    • memory/2028-118-0x0000000000000000-mapping.dmp

                    • memory/2028-119-0x0000000002A00000-0x0000000002AAE000-memory.dmp

                    • memory/3080-114-0x0000000000000000-mapping.dmp

                    • memory/3356-115-0x0000000000000000-mapping.dmp