5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

General

Target

tmp.exe
Size

405KB
MD5

bc166afb1c67a81b51b3b0bcf2b8d927
SHA1

786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca
SHA256

5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3
SHA512

9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

darkvision64bit

pid process

2188 darkvision64bit

pid	process
2188	darkvision64bit

Drops startup file 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

darkvision64bit

description	pid	process	target process
PID 2188 set thread context of 4696	2188	darkvision64bit	svchost.exe
PID 2188 set thread context of 3176	2188	darkvision64bit	explorer.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exedarkvision64bitsvchost.exeexplorer.exe

pid	process
4264	tmp.exe
4264	tmp.exe
4264	tmp.exe
4264	tmp.exe
2188	darkvision64bit
2188	darkvision64bit
2188	darkvision64bit
2188	darkvision64bit
4696	svchost.exe
4696	svchost.exe
4696	svchost.exe
4696	svchost.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exedarkvision64bitsvchost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4264	tmp.exe
Token: SeDebugPrivilege	2188	darkvision64bit
Token: SeDebugPrivilege	4696	svchost.exe
Token: SeDebugPrivilege	3176	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

tmp.exedarkvision64bit

description	pid	process	target process
PID 4264 wrote to memory of 2188	4264	tmp.exe	darkvision64bit
PID 4264 wrote to memory of 2188	4264	tmp.exe	darkvision64bit
PID 2188 wrote to memory of 4696	2188	darkvision64bit	svchost.exe
PID 2188 wrote to memory of 4696	2188	darkvision64bit	svchost.exe
PID 2188 wrote to memory of 4696	2188	darkvision64bit	svchost.exe
PID 2188 wrote to memory of 4696	2188	darkvision64bit	svchost.exe
PID 2188 wrote to memory of 3176	2188	darkvision64bit	explorer.exe
PID 2188 wrote to memory of 3176	2188	darkvision64bit	explorer.exe
PID 2188 wrote to memory of 3176	2188	darkvision64bit	explorer.exe
PID 2188 wrote to memory of 3176	2188	darkvision64bit	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\ProgramData\DV 32\darkvision64bit
"C:\ProgramData\DV 32\darkvision64bit" {558A11E4-5BD3-44F2-8581-3B234A900A45}
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DV 32\darkvision64bit
Filesize
405KB

MD5
bc166afb1c67a81b51b3b0bcf2b8d927

SHA1
786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca

SHA256
5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

SHA512
9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Download Submit
C:\ProgramData\DV 32\darkvision64bit
Filesize
405KB

MD5
bc166afb1c67a81b51b3b0bcf2b8d927

SHA1
786a7d3c28ea5cb5a9ba0955b072a553ef7fb3ca

SHA256
5247fcbf0745007134df81227f6bcf5c6e5195f6d211ad6b8684537f1d3566f3

SHA512
9744fd31ee649e63aecfe6822db34adc95ad1a909e81c9067b66bae0fbb2220fa203d130dd823d6c5a234cd1876ad1ebc73286189e4c5c6e7b07778c8def7f99

Download Submit
C:\ProgramData\{F3D11672-4E32-4671-A54F-2D401CA46BDC}\{2A6266D1-EB14-48FF-AC1F-6EB5C87859D3}.bat
Filesize
64B

MD5
804a35dd56ff48834882fc9011607831

SHA1
65142c61ca752a2f2e3a2c66fb72d32ae34ab022

SHA256
8c50588d0ef4c3162dd876b5d98cb8894c8d7d8a916a9859bdeb79bde837eb20

SHA512
ce09ee3ec7b3ae7e09fc7e1d122fb5f7abc593d3e0e0e8dea5f1939f27e745aa8bc0368ed9e0fa22e0cb9b9bf8a4682b5b4197758a34c8f343df2a8d12ccf04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E375B09-F045-4583-ADCC-C2F36B60DE32}
Filesize
288KB

MD5
b021e90ffa8f7202975794f2f04508ad

SHA1
094d3ff2c5f5749692b63d20327e6aa45e5190d7

SHA256
fecd7f1fa01af9a650a962695b89b4e8942a9d9bc513c147d501edbeacf62161

SHA512
c10d7740b8413e513cc436e5a6815ed42786401703fd8aa66d768c53890343994e038a4cce0f113ef33de2e9ed29b455e4040268f046397f114e60936c197b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E375B09-F045-4583-ADCC-C2F36B60DE32}
Filesize
288KB

MD5
b021e90ffa8f7202975794f2f04508ad

SHA1
094d3ff2c5f5749692b63d20327e6aa45e5190d7

SHA256
fecd7f1fa01af9a650a962695b89b4e8942a9d9bc513c147d501edbeacf62161

SHA512
c10d7740b8413e513cc436e5a6815ed42786401703fd8aa66d768c53890343994e038a4cce0f113ef33de2e9ed29b455e4040268f046397f114e60936c197b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{91ACE12E-77F4-4777-AA04-A36D1AC6100C}.lnk
Filesize
1KB

MD5
09d1a95d26e1f6e35e3b5ce77e04d766

SHA1
aa3a659e9bdf900c6e1e5f0a0753bbd5e9e4cee0

SHA256
6a2136f83d15d03e063e1b82ee34ed0d0ec735abb75286314dd49886657e5b7a

SHA512
326acdfc00f0357a17e233bbf17e84052d667c7ee46f4628e4bd6f0e28476f6c6150ffc312df191a6c2d30a4744b285258f089a5576adc77bb9d148b85be8e2f

Download Submit
memory/2188-130-0x0000000000000000-mapping.dmp

Download
memory/3176-149-0x0000000000600000-mapping.dmp

Download
memory/3176-151-0x0000000002160000-0x00000000021B0000-memory.dmp

Filesize
320KB

Download
memory/4696-136-0x0000018A22ED0000-mapping.dmp

Download
memory/4696-134-0x0000018A22F20000-0x0000018A22F22000-memory.dmp

Filesize
8KB

Download
memory/4696-138-0x0000018A22F80000-0x0000018A22FD0000-memory.dmp

Filesize
320KB

Download
memory/4696-133-0x0000018A22ED0000-0x0000018A22F11000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads