Analysis
-
max time kernel
37s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 23:28
Behavioral task
behavioral1
Sample
DarkNight.exe
Resource
win7-20240221-en
General
-
Target
DarkNight.exe
-
Size
3.9MB
-
MD5
d396e70e3da1b5c0c8414a524971b83e
-
SHA1
928fcd454a00ec2141fa0b1966ae509235c4c6c7
-
SHA256
b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121
-
SHA512
dd66a02df8456876b89fc913d4e0e3c60324cb4adb4dd4c3a39babf0a70a6f4f10eb9d610a6aa86576746e5d9e458c85fbc320b708949a164c43588c9aaf9d4b
-
SSDEEP
98304:8O6Dchp3YEtEbfY514GcOIjRy9NcrMcLAAW8bapEUyB3pm1:8OakRObogOdDcNL08ILyu
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DarkNight.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions DarkNight.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools DarkNight.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DarkNight.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DarkNight.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DarkNight.exe -
Processes:
resource yara_rule behavioral1/memory/2784-20-0x0000000000C30000-0x00000000015D2000-memory.dmp themida behavioral1/memory/2784-22-0x0000000000C30000-0x00000000015D2000-memory.dmp themida behavioral1/memory/2784-29-0x0000000000C30000-0x00000000015D2000-memory.dmp themida -
Processes:
DarkNight.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DarkNight.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 wtfismyip.com 5 wtfismyip.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DarkNight.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 DarkNight.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DarkNight.exepid Process 2784 DarkNight.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
DarkNight.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2784 DarkNight.exe Token: SeIncreaseQuotaPrivilege 2836 WMIC.exe Token: SeSecurityPrivilege 2836 WMIC.exe Token: SeTakeOwnershipPrivilege 2836 WMIC.exe Token: SeLoadDriverPrivilege 2836 WMIC.exe Token: SeSystemProfilePrivilege 2836 WMIC.exe Token: SeSystemtimePrivilege 2836 WMIC.exe Token: SeProfSingleProcessPrivilege 2836 WMIC.exe Token: SeIncBasePriorityPrivilege 2836 WMIC.exe Token: SeCreatePagefilePrivilege 2836 WMIC.exe Token: SeBackupPrivilege 2836 WMIC.exe Token: SeRestorePrivilege 2836 WMIC.exe Token: SeShutdownPrivilege 2836 WMIC.exe Token: SeDebugPrivilege 2836 WMIC.exe Token: SeSystemEnvironmentPrivilege 2836 WMIC.exe Token: SeRemoteShutdownPrivilege 2836 WMIC.exe Token: SeUndockPrivilege 2836 WMIC.exe Token: SeManageVolumePrivilege 2836 WMIC.exe Token: 33 2836 WMIC.exe Token: 34 2836 WMIC.exe Token: 35 2836 WMIC.exe Token: SeIncreaseQuotaPrivilege 2836 WMIC.exe Token: SeSecurityPrivilege 2836 WMIC.exe Token: SeTakeOwnershipPrivilege 2836 WMIC.exe Token: SeLoadDriverPrivilege 2836 WMIC.exe Token: SeSystemProfilePrivilege 2836 WMIC.exe Token: SeSystemtimePrivilege 2836 WMIC.exe Token: SeProfSingleProcessPrivilege 2836 WMIC.exe Token: SeIncBasePriorityPrivilege 2836 WMIC.exe Token: SeCreatePagefilePrivilege 2836 WMIC.exe Token: SeBackupPrivilege 2836 WMIC.exe Token: SeRestorePrivilege 2836 WMIC.exe Token: SeShutdownPrivilege 2836 WMIC.exe Token: SeDebugPrivilege 2836 WMIC.exe Token: SeSystemEnvironmentPrivilege 2836 WMIC.exe Token: SeRemoteShutdownPrivilege 2836 WMIC.exe Token: SeUndockPrivilege 2836 WMIC.exe Token: SeManageVolumePrivilege 2836 WMIC.exe Token: 33 2836 WMIC.exe Token: 34 2836 WMIC.exe Token: 35 2836 WMIC.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeSecurityPrivilege 2488 WMIC.exe Token: SeTakeOwnershipPrivilege 2488 WMIC.exe Token: SeLoadDriverPrivilege 2488 WMIC.exe Token: SeSystemProfilePrivilege 2488 WMIC.exe Token: SeSystemtimePrivilege 2488 WMIC.exe Token: SeProfSingleProcessPrivilege 2488 WMIC.exe Token: SeIncBasePriorityPrivilege 2488 WMIC.exe Token: SeCreatePagefilePrivilege 2488 WMIC.exe Token: SeBackupPrivilege 2488 WMIC.exe Token: SeRestorePrivilege 2488 WMIC.exe Token: SeShutdownPrivilege 2488 WMIC.exe Token: SeDebugPrivilege 2488 WMIC.exe Token: SeSystemEnvironmentPrivilege 2488 WMIC.exe Token: SeRemoteShutdownPrivilege 2488 WMIC.exe Token: SeUndockPrivilege 2488 WMIC.exe Token: SeManageVolumePrivilege 2488 WMIC.exe Token: 33 2488 WMIC.exe Token: 34 2488 WMIC.exe Token: 35 2488 WMIC.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeSecurityPrivilege 2488 WMIC.exe Token: SeTakeOwnershipPrivilege 2488 WMIC.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
DarkNight.exeCMD.exeCMD.exedescription pid Process procid_target PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2640 2784 DarkNight.exe 29 PID 2784 wrote to memory of 2576 2784 DarkNight.exe 31 PID 2784 wrote to memory of 2576 2784 DarkNight.exe 31 PID 2784 wrote to memory of 2576 2784 DarkNight.exe 31 PID 2784 wrote to memory of 2576 2784 DarkNight.exe 31 PID 2576 wrote to memory of 2836 2576 CMD.exe 33 PID 2576 wrote to memory of 2836 2576 CMD.exe 33 PID 2576 wrote to memory of 2836 2576 CMD.exe 33 PID 2576 wrote to memory of 2836 2576 CMD.exe 33 PID 2784 wrote to memory of 2372 2784 DarkNight.exe 34 PID 2784 wrote to memory of 2372 2784 DarkNight.exe 34 PID 2784 wrote to memory of 2372 2784 DarkNight.exe 34 PID 2784 wrote to memory of 2372 2784 DarkNight.exe 34 PID 2372 wrote to memory of 2488 2372 CMD.exe 36 PID 2372 wrote to memory of 2488 2372 CMD.exe 36 PID 2372 wrote to memory of 2488 2372 CMD.exe 36 PID 2372 wrote to memory of 2488 2372 CMD.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkNight.exe"C:\Users\Admin\AppData\Local\Temp\DarkNight.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\DarkNight.exeC:\Users\Admin\AppData\Local\Temp\DarkNight.exe2⤵PID:2640
-
-
C:\Windows\SysWOW64\CMD.exe"CMD.exe" /C WMIC COMPUTERSYSTEM GET MODEL2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC COMPUTERSYSTEM GET MODEL3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Windows\SysWOW64\CMD.exe"CMD.exe" /C WMIC BIOS GET VERSION2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC BIOS GET VERSION3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-