darktrack | 58fb41c622cfccae8febc06e0c04f25bdb613a5b260ae6f404e9d0eda5ea86ab

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predstavlenie № 6-51-2024 .docx.exe
Size

11.3MB
MD5

45ae0c08a1fb98fe77e4cd127b79ef7d
SHA1

12c7847fc2567ee9e6c0010f5c311753c017fa48
SHA256

bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e
SHA512

21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd
SSDEEP

196608:fxtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18afx:fWxL4S2kCVsHRsekTCVxhjx

Score

10^/10

darktrack evasion persistence rat stealer themida trojan upx

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 4 IoCs

resource	yara_rule
behavioral2/memory/6124-541-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/6124-542-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/6124-543-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/6124-544-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rupedoras.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rupedoras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rupedoras.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Predstavlenie № 6-51-2024 .docx.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	rupedoras.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000002296f-25.dat	themida
behavioral2/memory/2728-40-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral2/memory/2728-41-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral2/memory/2728-547-0x0000000000400000-0x0000000001F60000-memory.dmp	themida

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6124-538-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/6124-541-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/6124-540-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/6124-542-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/6124-543-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/6124-544-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KWn3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rupedoras.exe"	Predstavlenie № 6-51-2024 .docx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rupedoras.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2728	rupedoras.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 6124	2728	rupedoras.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	Predstavlenie № 6-51-2024 .docx.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4376	WINWORD.EXE
4376	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2728	rupedoras.exe
2728	rupedoras.exe
2728	rupedoras.exe
2728	rupedoras.exe
2728	rupedoras.exe
2728	rupedoras.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6124	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	rupedoras.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4376	WINWORD.EXE
4376	WINWORD.EXE
4376	WINWORD.EXE
4376	WINWORD.EXE
4376	WINWORD.EXE
4376	WINWORD.EXE
4376	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4376	1920	Predstavlenie № 6-51-2024 .docx.exe	87
PID 1920 wrote to memory of 4376	1920	Predstavlenie № 6-51-2024 .docx.exe	87
PID 1920 wrote to memory of 2728	1920	Predstavlenie № 6-51-2024 .docx.exe	89
PID 1920 wrote to memory of 2728	1920	Predstavlenie № 6-51-2024 .docx.exe	89
PID 1920 wrote to memory of 2728	1920	Predstavlenie № 6-51-2024 .docx.exe	89
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 2004	2728	rupedoras.exe	101
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102
PID 2728 wrote to memory of 6124	2728	rupedoras.exe	102

C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe
"C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapros.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:6124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD7F87.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\rupedoras.exe

Filesize
11.2MB

MD5
d483c1a9718cf5d880b3cce5d6ff7423

SHA1
72be5e949dd6923a43e7eaab1811baea4bc4b644

SHA256
8df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd

SHA512
370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapros.docx

Filesize
11KB

MD5
9871272af8b06b484f0529c10350a910

SHA1
707979b027f371989fb71e36795b652a2d466592

SHA256
c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3

SHA512
5bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c

Download Submit
memory/2728-30-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2728-41-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2728-547-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2728-534-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2728-54-0x000000000AB70000-0x000000000AB76000-memory.dmp

Filesize
24KB

Download
memory/2728-42-0x0000000006770000-0x0000000006D14000-memory.dmp

Filesize
5.6MB

Download
memory/2728-53-0x00000000085C0000-0x00000000085DA000-memory.dmp

Filesize
104KB

Download
memory/2728-46-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/2728-45-0x0000000006FE0000-0x0000000007024000-memory.dmp

Filesize
272KB

Download
memory/2728-44-0x0000000006670000-0x000000000670C000-memory.dmp

Filesize
624KB

Download
memory/2728-40-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2728-43-0x00000000065B0000-0x0000000006642000-memory.dmp

Filesize
584KB

Download
memory/4376-14-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-15-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-22-0x00007FFF7B840000-0x00007FFF7B850000-memory.dmp

Filesize
64KB

Download
memory/4376-8-0x00007FFF7DB70000-0x00007FFF7DB80000-memory.dmp

Filesize
64KB

Download
memory/4376-7-0x00007FFF7DB70000-0x00007FFF7DB80000-memory.dmp

Filesize
64KB

Download
memory/4376-5-0x00007FFF7DB70000-0x00007FFF7DB80000-memory.dmp

Filesize
64KB

Download
memory/4376-9-0x00007FFFBDB8D000-0x00007FFFBDB8E000-memory.dmp

Filesize
4KB

Download
memory/4376-20-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-11-0x00007FFF7DB70000-0x00007FFF7DB80000-memory.dmp

Filesize
64KB

Download
memory/4376-19-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-18-0x00007FFF7B840000-0x00007FFF7B850000-memory.dmp

Filesize
64KB

Download
memory/4376-16-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-17-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-21-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-12-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-6-0x00007FFF7DB70000-0x00007FFF7DB80000-memory.dmp

Filesize
64KB

Download
memory/4376-533-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-13-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-10-0x00007FFFBDAF0000-0x00007FFFBDCE5000-memory.dmp

Filesize
2.0MB

Download
memory/6124-541-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/6124-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/6124-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/6124-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/6124-544-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/6124-538-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download