Overview

overview

10

Static

static

10

server.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-07-2024 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    server.exe

  • Size

    627KB

  • MD5

    bfbbcd28f5f93cf9b43032bd364d69c7

  • SHA1

    5198e509f84f47ac62de6e80e8a689e100df38b2

  • SHA256

    ffbeb64fb4709eb1472662f0d2c4b23ce554f082feb949d6812927abcfcd4d93

  • SHA512

    56067ad478636124396eecc7104aeda86455e906e796f8af514be1aa67b0c01121794c76c2ff35a5edbb028e08bb0db1f9764a249a863a20b9da5cce84604992

  • SSDEEP

    12288:lOqvQomCg4G6q90tmPvj+GU/ttJuqwh3EQiXRUVZs4ixsiNhkApRaw/:xoovgbAKvBgtJuqwh3EQihUb1ifNhT

Score
10/10
darktrackratstealer

Malware Config

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack payload 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:96
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WatchStart.jpeg" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5116
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      233B

      MD5

      82a60702778c0e72c6310400c2169a79

      SHA1

      e6c02dd897b55593a7c94345563e8c661d5fbdeb

      SHA256

      e482d9b95bcf12c11c13ff2ef8bbf2f8985ef8d94c4a78119e3dd0007c746598

      SHA512

      65e2baec7839237fb1d58db1fa7efd21d8a4617d8b6eb48b33422251bad54471f462be3826a2b419892450857d89ebda8d89f4389ddd42e7d4d86ef8813d6e14

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
      Filesize

      2KB

      MD5

      404a3ec24e3ebf45be65e77f75990825

      SHA1

      1e05647cf0a74cedfdeabfa3e8ee33b919780a61

      SHA256

      cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

      SHA512

      a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

      Download Submit

    • memory/96-0-0x00000000004A0000-0x00000000004A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/412-87-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download