darktrack | 7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605

General

Target

7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
Size

2.1MB
MD5

d92740f07a25bb928abae9abe140169a
SHA1

c20671175e034bb2ac977ef1390d9bc7d3ea0d28
SHA256

7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605
SHA512

40036a391331bf9ee343aa96a4cd4f22598b2a7533440f8182ebfafcdc9d051f0def7d840800689490eac5d39b5fa20178dc7f870dddc4274f9a7c5bc817a9c5
SSDEEP

49152:DDcifOR181OrAdiiAojFrHLsPazEzHEOtkwTfljaRRsjHyTpo3U:D/8WO8diiXBrHL2a8HnTNjarsjHQv

Score

10^/10

darktrack discovery rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 1 IoCs

resource	yara_rule
behavioral2/memory/460-74-0x0000000000400000-0x00000000024B3000-memory.dmp	family_darktrack

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverBooster32.lnk	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe

Executes dropped EXE 1 IoCs

pid	Process
460	vvp_huilo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
744	460	WerFault.exe	94
376	460	WerFault.exe	94
1312	460	WerFault.exe	94
4568	460	WerFault.exe	94
3684	460	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvp_huilo.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2816	WINWORD.EXE
2816	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
460	vvp_huilo.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2816	1756	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	93
PID 1756 wrote to memory of 2816	1756	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	93
PID 1756 wrote to memory of 460	1756	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	94
PID 1756 wrote to memory of 460	1756	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	94
PID 1756 wrote to memory of 460	1756	7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe	94

C:\Users\Admin\AppData\Local\Temp\7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe
"C:\Users\Admin\AppData\Local\Temp\7e1c4d02e4dc294be0ffff2ebccbc4975713bc14984a904a0acf657ff422d605.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Copy_trydovoj.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Users\Admin\AppData\Roaming\vvp_huilo.exe
  C:\Users\Admin\AppData\Roaming\vvp_huilo.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 660
    3⤵
    - Program crash
    PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 680
    3⤵
    - Program crash
    PID:376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 696
    3⤵
    - Program crash
    PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 700
    3⤵
    - Program crash
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 708
    3⤵
    - Program crash
    PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 460 -ip 460
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 460 -ip 460
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 460 -ip 460
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 460 -ip 460
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 460 -ip 460
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD1D12.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Copy_trydovoj.docx

Filesize
1.5MB

MD5
789497a9ff0bd7df99aa662f512c6856

SHA1
f69cec1046f8e59983fd8cfcae867926495fadd6

SHA256
8646226f4b2b2b96d5e31d4daae0ac5484edc2a7759297e0f63a06358ea61a38

SHA512
71442dec98b3ec16f94ec07380087370c72a48532398f893a9324081f7560f7c620b549770b97356fe5400f6ef7e4935b6339d477298be13966c06f1f5065205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
327B

MD5
8d1c5a7621b549ba1706038a907f4cef

SHA1
a9256af7fb64ed74de96f28ba5f178adff931299

SHA256
4751b13781b309dd262ffa0db04b5f99e279c7c0127c99642b41631a221b16c6

SHA512
c3d7befff614f6b358011bd5112d79e6fd837586b09b2fb6ab54505c5a4168e4b4c85743817953c53131e0614d60de54007e2385920cec5db42d22984f418e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
680B

MD5
958aad8cf5b863976196a04f4b133011

SHA1
76b11e2e22f07a014255e7af1ecfd86473b31fd9

SHA256
0bc68693cffda52575815023fc86998f321691eda3f8e71eb7f9c7e62587f448

SHA512
1084d8c6a5000dddade90af5b0271a5fc0b62f3b6598e10c6f02a9e293f503ae4f783d538c3bcaeabfa3c81cad8742cc6a6ee6c11620107fffda605298ba4d79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
5782f30669e6d261cb081e3972808845

SHA1
7347df005b4724ded686cc0dcd32c26e37dad99d

SHA256
4258aca105b4dfee40ba4bebecca181b77bb91f2efe2ea39f82469d381d8cedf

SHA512
e43441f0c4a76af09251a7a3d01486f5167706047757efdfe3831fddba87ddecc194647b646c79519a7f9ee8b1b0782b7a1a30b6a528798dc913122246135352

Download Submit
C:\Users\Admin\AppData\Roaming\vvp_huilo.exe

Filesize
623KB

MD5
2d3d077b9f62618ab75ee6dac00c7b25

SHA1
85ec19ebb93bbc417694b9631bcfc0c11fd8c704

SHA256
b4564c85bf766afd5067294158521bbc92488041b1b7c363ee93420b463f7037

SHA512
3d58debf4f798f619e53ed64e5c937f392759d34fcaf4e5d74dcdbccece026fbe0ad80d2386d54767a08b78e877bfaa4cdae79ec201763a41c1d07ed96c2301d

Download Submit
memory/460-74-0x0000000000400000-0x00000000024B3000-memory.dmp

Filesize
32.7MB

Download
memory/2816-16-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-15-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-17-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-19-0x00007FFD51DD0000-0x00007FFD51DE0000-memory.dmp

Filesize
64KB

Download
memory/2816-14-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-21-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-22-0x00007FFD51DD0000-0x00007FFD51DE0000-memory.dmp

Filesize
64KB

Download
memory/2816-20-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-12-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-11-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-5-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-18-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-13-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-10-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-8-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-9-0x00007FFD9438D000-0x00007FFD9438E000-memory.dmp

Filesize
4KB

Download
memory/2816-6-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-7-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-193-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-224-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-225-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-228-0x00007FFD942F0000-0x00007FFD944E5000-memory.dmp

Filesize
2.0MB

Download
memory/2816-226-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download
memory/2816-227-0x00007FFD54370000-0x00007FFD54380000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads