ED7251FADEB9BD2A8836828F2E1B6F83.exe

General
Target

ED7251FADEB9BD2A8836828F2E1B6F83.exe

Filesize

992KB

Completed

04-05-2021 10:08

Score
10 /10
MD5

ed7251fadeb9bd2a8836828f2e1b6f83

SHA1

ab41a68d76147bfdb3d5ff36ae0e992e4e5b7c84

SHA256

dab16f86762edfad407ad17ff640eeaf0b92ef8da877d81e07c90690d142df88

Malware Config
Signatures 6

Filter: none

  • DarkTrack

    Description

    DarkTrack is a remote administration tool written in delphi.

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1448-62-0x0000000000400000-0x00000000004A8000-memory.dmpupx
    behavioral1/memory/1448-65-0x0000000000400000-0x00000000004A8000-memory.dmpupx
  • Suspicious use of SetThreadContext
    ED7251FADEB9BD2A8836828F2E1B6F83.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1944 set thread context of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
  • Suspicious behavior: GetForegroundWindowSpam
    ED7251FADEB9BD2A8836828F2E1B6F83.exe

    Reported IOCs

    pidprocess
    1448ED7251FADEB9BD2A8836828F2E1B6F83.exe
  • Suspicious use of AdjustPrivilegeToken
    ED7251FADEB9BD2A8836828F2E1B6F83.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1944ED7251FADEB9BD2A8836828F2E1B6F83.exe
  • Suspicious use of WriteProcessMemory
    ED7251FADEB9BD2A8836828F2E1B6F83.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
    PID 1944 wrote to memory of 14481944ED7251FADEB9BD2A8836828F2E1B6F83.exeED7251FADEB9BD2A8836828F2E1B6F83.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
    "C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
      C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
      Suspicious behavior: GetForegroundWindowSpam
      PID:1448
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1448-62-0x0000000000400000-0x00000000004A8000-memory.dmp

                          • memory/1448-63-0x00000000004A6880-mapping.dmp

                          • memory/1448-65-0x0000000000400000-0x00000000004A8000-memory.dmp

                          • memory/1944-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

                          • memory/1944-61-0x0000000000300000-0x0000000000301000-memory.dmp