darktrack | bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/05/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predstavlenie № 6-51-2024 .docx.exe
Size

11.3MB
MD5

45ae0c08a1fb98fe77e4cd127b79ef7d
SHA1

12c7847fc2567ee9e6c0010f5c311753c017fa48
SHA256

bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e
SHA512

21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd
SSDEEP

196608:fxtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18afx:fWxL4S2kCVsHRsekTCVxhjx

Score

10^/10

darktrack evasion persistence rat stealer themida trojan upx

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 4 IoCs

resource	yara_rule
behavioral1/memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rupedoras.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rupedoras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rupedoras.exe

Executes dropped EXE 1 IoCs

pid	Process
4388	rupedoras.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000b00000001ab56-49.dat	themida
behavioral1/memory/4388-200-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral1/memory/4388-201-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral1/memory/4388-711-0x0000000000400000-0x0000000001F60000-memory.dmp	themida

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-701-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2152-702-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\KWn3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rupedoras.exe"	Predstavlenie № 6-51-2024 .docx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rupedoras.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4388	rupedoras.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 2152	4388	rupedoras.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Predstavlenie № 6-51-2024 .docx.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2892	WINWORD.EXE
2892	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4388	rupedoras.exe
4388	rupedoras.exe
4388	rupedoras.exe
4388	rupedoras.exe
4388	rupedoras.exe
4388	rupedoras.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2152	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	rupedoras.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2892	WINWORD.EXE
2892	WINWORD.EXE
2892	WINWORD.EXE
2892	WINWORD.EXE
2892	WINWORD.EXE
2892	WINWORD.EXE
2892	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2892	344	Predstavlenie № 6-51-2024 .docx.exe	73
PID 344 wrote to memory of 2892	344	Predstavlenie № 6-51-2024 .docx.exe	73
PID 344 wrote to memory of 4388	344	Predstavlenie № 6-51-2024 .docx.exe	75
PID 344 wrote to memory of 4388	344	Predstavlenie № 6-51-2024 .docx.exe	75
PID 344 wrote to memory of 4388	344	Predstavlenie № 6-51-2024 .docx.exe	75
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 1276	4388	rupedoras.exe	77
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78
PID 4388 wrote to memory of 2152	4388	rupedoras.exe	78

C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe
"C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapros.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDB01A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rupedoras.exe

Filesize
11.2MB

MD5
d483c1a9718cf5d880b3cce5d6ff7423

SHA1
72be5e949dd6923a43e7eaab1811baea4bc4b644

SHA256
8df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd

SHA512
370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapros.docx

Filesize
11KB

MD5
9871272af8b06b484f0529c10350a910

SHA1
707979b027f371989fb71e36795b652a2d466592

SHA256
c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3

SHA512
5bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c

Download Submit
memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-702-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-701-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2892-12-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-694-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-16-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-4-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmp

Filesize
64KB

Download
memory/2892-20-0x00007FFA2FAE0000-0x00007FFA2FAF0000-memory.dmp

Filesize
64KB

Download
memory/2892-19-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-21-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-23-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-22-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-24-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-25-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-26-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-27-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-28-0x00007FFA2FAE0000-0x00007FFA2FAF0000-memory.dmp

Filesize
64KB

Download
memory/2892-13-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-14-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-5-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmp

Filesize
64KB

Download
memory/2892-6-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmp

Filesize
64KB

Download
memory/2892-7-0x00007FFA72D15000-0x00007FFA72D16000-memory.dmp

Filesize
4KB

Download
memory/2892-8-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmp

Filesize
64KB

Download
memory/2892-9-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-10-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-697-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-695-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-696-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-15-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-11-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-639-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmp

Filesize
1.9MB

Download
memory/4388-243-0x00000000082D0000-0x00000000082D6000-memory.dmp

Filesize
24KB

Download
memory/4388-213-0x0000000008270000-0x000000000828A000-memory.dmp

Filesize
104KB

Download
memory/4388-211-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/4388-210-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

Filesize
272KB

Download
memory/4388-698-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/4388-209-0x00000000069E0000-0x0000000006A7C000-memory.dmp

Filesize
624KB

Download
memory/4388-205-0x0000000006920000-0x00000000069B2000-memory.dmp

Filesize
584KB

Download
memory/4388-202-0x00000000063C0000-0x00000000068BE000-memory.dmp

Filesize
5.0MB

Download
memory/4388-201-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/4388-200-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/4388-59-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/4388-711-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download