Overview

overview

10

Static

static

10

af776fc957...a1.exe

windows7_x64

10

af776fc957...a1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    07-04-2022 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af776fc957e51c8846258b4d8004e1a1.exe

  • Size

    627KB

  • MD5

    af776fc957e51c8846258b4d8004e1a1

  • SHA1

    3baed603d9b56e085d56371397595f81edcf7b70

  • SHA256

    dfb278405d6f2c0795936304f4c8d2e572be0d2699477d5b68b4fcff67f9bf42

  • SHA512

    dc1d06d9d55d5bfd008d3f1e272c60440b777552dccb76858b062d1affbeae4f6c84429e2db8df5c8bd25edfd4a6afef5b81d76eaa801e36d5b7efdd1e3f92ef

Score
10/10
darktrackpersistenceratstealer

Malware Config

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af776fc957e51c8846258b4d8004e1a1.exe
    "C:\Users\Admin\AppData\Local\Temp\af776fc957e51c8846258b4d8004e1a1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:1720
      • C:\Users\Admin\AppData\Roaming\srvhost.exe
        "C:\Users\Admin\AppData\Roaming\srvhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:1828
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
            • Adds Run key to start application
            PID:1980

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\srvhost.exe
        Filesize

        627KB

        MD5

        af776fc957e51c8846258b4d8004e1a1

        SHA1

        3baed603d9b56e085d56371397595f81edcf7b70

        SHA256

        dfb278405d6f2c0795936304f4c8d2e572be0d2699477d5b68b4fcff67f9bf42

        SHA512

        dc1d06d9d55d5bfd008d3f1e272c60440b777552dccb76858b062d1affbeae4f6c84429e2db8df5c8bd25edfd4a6afef5b81d76eaa801e36d5b7efdd1e3f92ef

        Download Submit
      • C:\Users\Admin\AppData\Roaming\srvhost.exe
        Filesize

        627KB

        MD5

        af776fc957e51c8846258b4d8004e1a1

        SHA1

        3baed603d9b56e085d56371397595f81edcf7b70

        SHA256

        dfb278405d6f2c0795936304f4c8d2e572be0d2699477d5b68b4fcff67f9bf42

        SHA512

        dc1d06d9d55d5bfd008d3f1e272c60440b777552dccb76858b062d1affbeae4f6c84429e2db8df5c8bd25edfd4a6afef5b81d76eaa801e36d5b7efdd1e3f92ef

        Download Submit
      • \Users\Admin\AppData\Roaming\srvhost.exe
        Filesize

        627KB

        MD5

        af776fc957e51c8846258b4d8004e1a1

        SHA1

        3baed603d9b56e085d56371397595f81edcf7b70

        SHA256

        dfb278405d6f2c0795936304f4c8d2e572be0d2699477d5b68b4fcff67f9bf42

        SHA512

        dc1d06d9d55d5bfd008d3f1e272c60440b777552dccb76858b062d1affbeae4f6c84429e2db8df5c8bd25edfd4a6afef5b81d76eaa801e36d5b7efdd1e3f92ef

        Download Submit
      • \Users\Admin\AppData\Roaming\srvhost.exe
        Filesize

        627KB

        MD5

        af776fc957e51c8846258b4d8004e1a1

        SHA1

        3baed603d9b56e085d56371397595f81edcf7b70

        SHA256

        dfb278405d6f2c0795936304f4c8d2e572be0d2699477d5b68b4fcff67f9bf42

        SHA512

        dc1d06d9d55d5bfd008d3f1e272c60440b777552dccb76858b062d1affbeae4f6c84429e2db8df5c8bd25edfd4a6afef5b81d76eaa801e36d5b7efdd1e3f92ef

        Download Submit
      • memory/1428-97-0x0000000000000000-mapping.dmp
        Download
      • memory/1648-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1720-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-56-0x0000000000080000-0x0000000000081000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1828-100-0x0000000000000000-mapping.dmp
        Download
      • memory/1980-140-0x0000000000000000-mapping.dmp
        Download