darkvision | d9d68a7e91ad17c3db6dd4f00b4ff9a27cc27e3da41f694f444b9514eda3072f

General

Target

fortnite.exe
Size

1.4MB
MD5

7f9573605fc3b7c5a13a4b09118c77e5
SHA1

2541aebb664df60b014a2093232cfd4994a9130c
SHA256

d9d68a7e91ad17c3db6dd4f00b4ff9a27cc27e3da41f694f444b9514eda3072f
SHA512

fce7e4fef0018a50ab7d306571d41bc8f25e6ba55edf6401b82192c25b25e6f9c39002347e5d92dc40c42bf534fb7c13ab7d53c0696ffadaeea82e9618231be1
SSDEEP

24576:HFe/U3CReTrOmfrD10xs76dJKnCjkIL4I9fGzPvW4C30Wemex2ze+9S4:HFeVROf31es7KcnD9RP

Score

10^/10

darkvision defense_evasion execution rat

Malware Config

Extracted

Family

darkvision

C2

154.216.17.115

https://rentry.co/razorrat/rawYDHXBF8ZTF

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	OperationEnigma4.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	fortnite.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2920	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2228	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3036	2052	fortnite.exe	30
PID 2052 wrote to memory of 3036	2052	fortnite.exe	30
PID 2052 wrote to memory of 3036	2052	fortnite.exe	30
PID 2052 wrote to memory of 2920	2052	fortnite.exe	31
PID 2052 wrote to memory of 2920	2052	fortnite.exe	31
PID 2052 wrote to memory of 2920	2052	fortnite.exe	31
PID 2920 wrote to memory of 2256	2920	cmd.exe	32
PID 2920 wrote to memory of 2256	2920	cmd.exe	32
PID 2920 wrote to memory of 2256	2920	cmd.exe	32
PID 2052 wrote to memory of 2484	2052	fortnite.exe	33
PID 2052 wrote to memory of 2484	2052	fortnite.exe	33
PID 2052 wrote to memory of 2484	2052	fortnite.exe	33
PID 2484 wrote to memory of 2228	2484	cmd.exe	34
PID 2484 wrote to memory of 2228	2484	cmd.exe	34
PID 2484 wrote to memory of 2228	2484	cmd.exe	34
PID 2052 wrote to memory of 2864	2052	fortnite.exe	35
PID 2052 wrote to memory of 2864	2052	fortnite.exe	35
PID 2052 wrote to memory of 2864	2052	fortnite.exe	35
PID 2864 wrote to memory of 2868	2864	cmd.exe	36
PID 2864 wrote to memory of 2868	2864	cmd.exe	36
PID 2864 wrote to memory of 2868	2864	cmd.exe	36
PID 2052 wrote to memory of 2824	2052	fortnite.exe	37
PID 2052 wrote to memory of 2824	2052	fortnite.exe	37
PID 2052 wrote to memory of 2824	2052	fortnite.exe	37
PID 2052 wrote to memory of 2828	2052	fortnite.exe	38
PID 2052 wrote to memory of 2828	2052	fortnite.exe	38
PID 2052 wrote to memory of 2828	2052	fortnite.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2256	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\ProgramData\Microsoft\WindowsApps"
    3⤵
    - Views/modifies file attributes
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionExtension 'exe'" >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension 'exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
  "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 3
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe

Filesize
443KB

MD5
6edcc30095aaa8bad21c5e0a1a92aa9c

SHA1
ac4dc007d65625f55579b16893a0b490e5c6f48a

SHA256
ba3cc8d5120e54c6c8dd15143cddf6b2040e83704caad04373b05ea5fa9a9179

SHA512
06ec237b2ad8002740f104c04213c03c101cc8a4587527135bdb87ca488fac542250209af96cc348d2196a7b3fabe51a035e52c9401000f486e6a6a9c07c46bd

Download Submit
memory/2052-0-0x00000000001F0000-0x000000000026B000-memory.dmp

Filesize
492KB

Download
memory/2052-17-0x00000000001F0000-0x000000000026B000-memory.dmp

Filesize
492KB

Download
memory/2228-5-0x000007FEF5CBE000-0x000007FEF5CBF000-memory.dmp

Filesize
4KB

Download
memory/2228-6-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-7-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2228-8-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2228-9-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-10-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-11-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads