Analysis

  • max time kernel
    37s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 23:28

General

  • Target

    DarkNight.exe

  • Size

    3.9MB

  • MD5

    d396e70e3da1b5c0c8414a524971b83e

  • SHA1

    928fcd454a00ec2141fa0b1966ae509235c4c6c7

  • SHA256

    b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121

  • SHA512

    dd66a02df8456876b89fc913d4e0e3c60324cb4adb4dd4c3a39babf0a70a6f4f10eb9d610a6aa86576746e5d9e458c85fbc320b708949a164c43588c9aaf9d4b

  • SSDEEP

    98304:8O6Dchp3YEtEbfY514GcOIjRy9NcrMcLAAW8bapEUyB3pm1:8OakRObogOdDcNL08ILyu

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DarkNight.exe
    "C:\Users\Admin\AppData\Local\Temp\DarkNight.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Users\Admin\AppData\Local\Temp\DarkNight.exe
      C:\Users\Admin\AppData\Local\Temp\DarkNight.exe
      2⤵
        PID:2640
      • C:\Windows\SysWOW64\CMD.exe
        "CMD.exe" /C WMIC COMPUTERSYSTEM GET MODEL
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          WMIC COMPUTERSYSTEM GET MODEL
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
      • C:\Windows\SysWOW64\CMD.exe
        "CMD.exe" /C WMIC BIOS GET VERSION
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          WMIC BIOS GET VERSION
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2784-0-0x0000000000C30000-0x00000000015D2000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-1-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-2-0x0000000076AB0000-0x0000000076AF7000-memory.dmp

      Filesize

      284KB

    • memory/2784-3-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-5-0x0000000076AB0000-0x0000000076AF7000-memory.dmp

      Filesize

      284KB

    • memory/2784-8-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-9-0x0000000076AB0000-0x0000000076AF7000-memory.dmp

      Filesize

      284KB

    • memory/2784-10-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-11-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-12-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-13-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-14-0x0000000076AB0000-0x0000000076AF7000-memory.dmp

      Filesize

      284KB

    • memory/2784-15-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-16-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-17-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-18-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-19-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-20-0x0000000000C30000-0x00000000015D2000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-21-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-22-0x0000000000C30000-0x00000000015D2000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-23-0x00000000741A0000-0x000000007488E000-memory.dmp

      Filesize

      6.9MB

    • memory/2784-24-0x00000000008F0000-0x00000000008FE000-memory.dmp

      Filesize

      56KB

    • memory/2784-25-0x00000000053E0000-0x0000000005D82000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-26-0x00000000055A0000-0x00000000055E0000-memory.dmp

      Filesize

      256KB

    • memory/2784-27-0x00000000055A0000-0x00000000055E0000-memory.dmp

      Filesize

      256KB

    • memory/2784-29-0x0000000000C30000-0x00000000015D2000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-30-0x0000000076000000-0x0000000076110000-memory.dmp

      Filesize

      1.1MB

    • memory/2784-31-0x0000000076AB0000-0x0000000076AF7000-memory.dmp

      Filesize

      284KB

    • memory/2784-32-0x00000000741A0000-0x000000007488E000-memory.dmp

      Filesize

      6.9MB

    • memory/2784-33-0x00000000053E0000-0x000000000543F000-memory.dmp

      Filesize

      380KB