5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

General

Target

tmp.exe
Size

405KB
MD5

bc166afb1c67a81b51b3b0bcf2b8d927
SHA1

786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca
SHA256

5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3
SHA512

9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

darkvision64bit

pid process

964 darkvision64bit

pid	process
964	darkvision64bit

Drops startup file 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk	explorer.exe

Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

1492 tmp.exe

pid	process
1492	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

darkvision64bit

description	pid	process	target process
PID 964 set thread context of 908	964	darkvision64bit	svchost.exe
PID 964 set thread context of 2000	964	darkvision64bit	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tmp.exedarkvision64bitsvchost.exeexplorer.exe

pid process

1492 tmp.exe
1492 tmp.exe
964 darkvision64bit
964 darkvision64bit
908 svchost.exe
908 svchost.exe
2000 explorer.exe
2000 explorer.exe

pid	process
1492	tmp.exe
1492	tmp.exe
964	darkvision64bit
964	darkvision64bit
908	svchost.exe
908	svchost.exe
2000	explorer.exe
2000	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exedarkvision64bitsvchost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1492	tmp.exe
Token: SeDebugPrivilege	964	darkvision64bit
Token: SeDebugPrivilege	908	svchost.exe
Token: SeDebugPrivilege	2000	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exedarkvision64bit

description	pid	process	target process
PID 1492 wrote to memory of 964	1492	tmp.exe	darkvision64bit
PID 1492 wrote to memory of 964	1492	tmp.exe	darkvision64bit
PID 1492 wrote to memory of 964	1492	tmp.exe	darkvision64bit
PID 964 wrote to memory of 908	964	darkvision64bit	svchost.exe
PID 964 wrote to memory of 908	964	darkvision64bit	svchost.exe
PID 964 wrote to memory of 908	964	darkvision64bit	svchost.exe
PID 964 wrote to memory of 908	964	darkvision64bit	svchost.exe
PID 964 wrote to memory of 908	964	darkvision64bit	svchost.exe
PID 964 wrote to memory of 2000	964	darkvision64bit	explorer.exe
PID 964 wrote to memory of 2000	964	darkvision64bit	explorer.exe
PID 964 wrote to memory of 2000	964	darkvision64bit	explorer.exe
PID 964 wrote to memory of 2000	964	darkvision64bit	explorer.exe
PID 964 wrote to memory of 2000	964	darkvision64bit	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\ProgramData\DV 32\darkvision64bit
"C:\ProgramData\DV 32\darkvision64bit" {558A11E4-5BD3-44F2-8581-3B234A900A45}
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DV 32\darkvision64bit
Filesize
405KB

MD5
bc166afb1c67a81b51b3b0bcf2b8d927

SHA1
786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca

SHA256
5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

SHA512
9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Download Submit
C:\ProgramData\DV 32\darkvision64bit
Filesize
405KB

MD5
bc166afb1c67a81b51b3b0bcf2b8d927

SHA1
786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca

SHA256
5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

SHA512
9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Download Submit
C:\ProgramData\{F3D11672-4E32-4671-A54F-2D401CA46BDC}\{2A6266D1-EB14-48FF-AC1F-6EB5C87859D3}.bat
Filesize
64B

MD5
804a35dd56ff48834882fc9011607831

SHA1
65142c61ca752a2f2e3a2c66fb72d32ae34ab022

SHA256
8c50588d0ef4c3162dd876b5d98cb8894c8d7d8a916a9859bdeb79bde837eb20

SHA512
ce09ee3ec7b3ae7e09fc7e1d122fb5f7abc593d3e0e0e8dea5f1939f27e745aa8bc0368ed9e0fa22e0cb9b9bf8a4682b5b4197758a34c8f343df2a8d12ccf04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E375B09-F045-4583-ADCC-C2F36B60DE32}
Filesize
288KB

MD5
b021e90ffa8f7202975794f2f04508ad

SHA1
094d3ff2c5f5749692b63d20327e6aa45e5190d7

SHA256
fecd7f1fa01af9a650a962695b89b4e8942a9d9bc513c147d501edbeacf62161

SHA512
c10d7740b8413e513cc436e5a6815ed42786401703fd8aa66d768c53890343994e038a4cce0f113ef33de2e9ed29b455e4040268f046397f114e60936c197b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E375B09-F045-4583-ADCC-C2F36B60DE32}
Filesize
288KB

MD5
b021e90ffa8f7202975794f2f04508ad

SHA1
094d3ff2c5f5749692b63d20327e6aa45e5190d7

SHA256
fecd7f1fa01af9a650a962695b89b4e8942a9d9bc513c147d501edbeacf62161

SHA512
c10d7740b8413e513cc436e5a6815ed42786401703fd8aa66d768c53890343994e038a4cce0f113ef33de2e9ed29b455e4040268f046397f114e60936c197b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\DV 32\darkvision64bit
Filesize
405KB

MD5
bc166afb1c67a81b51b3b0bcf2b8d927

SHA1
786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca

SHA256
5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

SHA512
9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Download Submit
memory/908-58-0x0000000000060000-0x00000000000A1000-memory.dmp

Filesize
260KB

Download
memory/908-63-0x0000000000060000-mapping.dmp

Download
memory/908-65-0x0000000000160000-0x00000000001B0000-memory.dmp

Filesize
320KB

Download
memory/908-61-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/908-88-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download
memory/908-60-0x0000000000060000-0x00000000000A1000-memory.dmp

Filesize
260KB

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/2000-78-0x0000000000060000-mapping.dmp

Download
memory/2000-80-0x0000000001B90000-0x0000000001BE0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads