darkvision | 74e66581cda6b55f9dbfcfe260faec1dad8a38d9fa0c5c2f45e64d16e6a11d4e

General

Target

fortnite.exe
Size

1.4MB
MD5

5999098b0f0e4e25e826092a7f1e7598
SHA1

76f8454429e4a59e4b7361415a6d62e08207577e
SHA256

74e66581cda6b55f9dbfcfe260faec1dad8a38d9fa0c5c2f45e64d16e6a11d4e
SHA512

7d43edd26d68f5f51478a6e8f75652bf15a9704c89f4d70c6115c51989c9e60a726124c4ddabd5a95917a537b066a0d6ecef3b737492706e82e5493a63ce36c1
SSDEEP

24576:PW0EbEOAkR+9yJgoHqWnKwVIL4I9fGzPvW4C30Wemex2ze+9S:PW0kTdnn9RP

Score

10^/10

darkvision defense_evasion execution rat

Malware Config

Extracted

Family

darkvision

C2

154.216.17.115

https://rentry.co/razorrat/rawYDHXBF8ZTF

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1056	OperationEnigma4.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	fortnite.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2164	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2328	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2056	2344	fortnite.exe	31
PID 2344 wrote to memory of 2056	2344	fortnite.exe	31
PID 2344 wrote to memory of 2056	2344	fortnite.exe	31
PID 2344 wrote to memory of 2164	2344	fortnite.exe	32
PID 2344 wrote to memory of 2164	2344	fortnite.exe	32
PID 2344 wrote to memory of 2164	2344	fortnite.exe	32
PID 2164 wrote to memory of 1956	2164	cmd.exe	33
PID 2164 wrote to memory of 1956	2164	cmd.exe	33
PID 2164 wrote to memory of 1956	2164	cmd.exe	33
PID 2344 wrote to memory of 2156	2344	fortnite.exe	34
PID 2344 wrote to memory of 2156	2344	fortnite.exe	34
PID 2344 wrote to memory of 2156	2344	fortnite.exe	34
PID 2156 wrote to memory of 2328	2156	cmd.exe	35
PID 2156 wrote to memory of 2328	2156	cmd.exe	35
PID 2156 wrote to memory of 2328	2156	cmd.exe	35
PID 2344 wrote to memory of 2760	2344	fortnite.exe	36
PID 2344 wrote to memory of 2760	2344	fortnite.exe	36
PID 2344 wrote to memory of 2760	2344	fortnite.exe	36
PID 2760 wrote to memory of 3052	2760	cmd.exe	37
PID 2760 wrote to memory of 3052	2760	cmd.exe	37
PID 2760 wrote to memory of 3052	2760	cmd.exe	37
PID 2344 wrote to memory of 1056	2344	fortnite.exe	38
PID 2344 wrote to memory of 1056	2344	fortnite.exe	38
PID 2344 wrote to memory of 1056	2344	fortnite.exe	38
PID 2344 wrote to memory of 2704	2344	fortnite.exe	40
PID 2344 wrote to memory of 2704	2344	fortnite.exe	40
PID 2344 wrote to memory of 2704	2344	fortnite.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\ProgramData\Microsoft\WindowsApps"
    3⤵
    - Views/modifies file attributes
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionExtension 'exe'" >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension 'exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3052
- C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
  "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 3
  2⤵
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe

Filesize
443KB

MD5
6edcc30095aaa8bad21c5e0a1a92aa9c

SHA1
ac4dc007d65625f55579b16893a0b490e5c6f48a

SHA256
ba3cc8d5120e54c6c8dd15143cddf6b2040e83704caad04373b05ea5fa9a9179

SHA512
06ec237b2ad8002740f104c04213c03c101cc8a4587527135bdb87ca488fac542250209af96cc348d2196a7b3fabe51a035e52c9401000f486e6a6a9c07c46bd

Download Submit
memory/2328-5-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-6-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2328-9-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-10-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2328-11-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-12-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-13-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-0-0x0000000001B30000-0x0000000001BAB000-memory.dmp

Filesize
492KB

Download
memory/2344-19-0x0000000001B30000-0x0000000001BAB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads