darktrack | 7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605

General

Target

7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
Size

2.1MB
MD5

d92740f07a25bb928abae9abe140169a
SHA1

c20671175e034bb2ac977ef1390d9bc7d3ea0d28
SHA256

7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605
SHA512

40036a391331bf9ee343aa96a4cd4f22598b2a7533440f8182ebfafcdc9d051f0def7d840800689490eac5d39b5fa20178dc7f870dddc4274f9a7c5bc817a9c5
SSDEEP

49152:DDcifOR181OrAdiiAojFrHLsPazEzHEOtkwTfljaRRsjHyTpo3U:D/8WO8diiXBrHL2a8HnTNjarsjHQv

Score

10^/10

darktrack discovery rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 1 IoCs

resource	yara_rule
behavioral1/memory/2640-35-0x0000000000400000-0x00000000024B3000-memory.dmp	family_darktrack

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverBooster32.lnk	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	vvp_huilo.exe

Loads dropped DLL 3 IoCs

pid	Process
1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvp_huilo.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1616	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	vvp_huilo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1616	WINWORD.EXE
1616	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1616	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	30
PID 1624 wrote to memory of 1616	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	30
PID 1624 wrote to memory of 1616	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	30
PID 1624 wrote to memory of 1616	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	30
PID 1624 wrote to memory of 2640	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	31
PID 1624 wrote to memory of 2640	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	31
PID 1624 wrote to memory of 2640	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	31
PID 1624 wrote to memory of 2640	1624	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	31
PID 1616 wrote to memory of 2816	1616	WINWORD.EXE	33
PID 1616 wrote to memory of 2816	1616	WINWORD.EXE	33
PID 1616 wrote to memory of 2816	1616	WINWORD.EXE	33
PID 1616 wrote to memory of 2816	1616	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
"C:\Users\Admin\AppData\Local\Temp\7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Copy_trydovoj.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2816
- C:\Users\Admin\AppData\Roaming\vvp_huilo.exe
  C:\Users\Admin\AppData\Roaming\vvp_huilo.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Copy_trydovoj.docx

Filesize
1.5MB

MD5
789497a9ff0bd7df99aa662f512c6856

SHA1
f69cec1046f8e59983fd8cfcae867926495fadd6

SHA256
8646226f4b2b2b96d5e31d4daae0ac5484edc2a7759297e0f63a06358ea61a38

SHA512
71442dec98b3ec16f94ec07380087370c72a48532398f893a9324081f7560f7c620b549770b97356fe5400f6ef7e4935b6339d477298be13966c06f1f5065205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
379B

MD5
a7686a91fbf425dc6df3d48c546c40d4

SHA1
3b97e834277ca99080a6c6e78e66735513a53546

SHA256
800f3f2f70f6ec3225ab134f49c0778b02e502b46951223248b2e8fcc52b17a3

SHA512
f87571ecdb0ab81eb312a9e419231aace0bfddc2e1d2cd71ca9e4e8a21c39b4867b2360be2329521fcbf48b556446bed672cdab90df95a7105e076737237f4bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
4a9db58fe9e527922ed1cea2b207749b

SHA1
a75e3ab52e3be600d0e0ddd2b32d18b510f0b689

SHA256
275d1f15fc34df041c34ae1e9c0c3386e200986346b0e91eb9066e0dafcde61e

SHA512
42c55b206a77c84e7850ebc2b4f37d0dbb6c67740dd0e463459c9b816c57751d54b89097960cabceb3b803886bb9a0c1c23cf243095bed4c152cc270dc0ac8a4

Download Submit
\Users\Admin\AppData\Roaming\vvp_huilo.exe

Filesize
623KB

MD5
2d3d077b9f62618ab75ee6dac00c7b25

SHA1
85ec19ebb93bbc417694b9631bcfc0c11fd8c704

SHA256
b4564c85bf766afd5067294158521bbc92488041b1b7c363ee93420b463f7037

SHA512
3d58debf4f798f619e53ed64e5c937f392759d34fcaf4e5d74dcdbccece026fbe0ad80d2386d54767a08b78e877bfaa4cdae79ec201763a41c1d07ed96c2301d

Download Submit
memory/1616-2-0x000000002F231000-0x000000002F232000-memory.dmp

Filesize
4KB

Download
memory/1616-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1616-4-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1616-37-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1616-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1616-65-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/2640-35-0x0000000000400000-0x00000000024B3000-memory.dmp

Filesize
32.7MB

Download

Analysis

Sharing