darkvision | 93a61c234e788db0e457a4200650cb65eae29963b53e718842857627be362f89

General

Target

CraxsR76.bat
Size

769KB
MD5

a65ffe9a5a2c4d89bad9b84de0f7ce07
SHA1

001154c78285312645a1e27f961b588c717f87e7
SHA256

5299e8eb13c074c3193ee0e8c1586747687964c0944081fc25784e006353ea85
SHA512

655e9e14f5f0fdeac469b1772f28aec8be5458d9b68b7667a23c18c84a04366a6239154ffaaafb2120261000219ea50003ac6946cbdf2775fee8997e7d13cc9f
SSDEEP

12288:fIwxBr74Qz56RqQdgN+p1gZVpqFprjL9R85QLFZIiK:V98661gmCv8L785Q5K

Score

10^/10

darkvision defense_evasion discovery execution persistence rat

Malware Config

Extracted

Family

darkvision

C2

91.92.241.132

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3744	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{2F02CBCC-E614-41F3-A3BF-71EA7386B896}.lnk	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
6008	z88m1jq3dq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\Users\\Admin\\AppData\\Roaming\\wdir\\X5R.exe {9BE0A78E-D296-44BB-AB0C-D66D2FE615FE}"	explorer.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
4468	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z88m1jq3dq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3744	powershell.exe
3744	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
6008	z88m1jq3dq.exe
6008	z88m1jq3dq.exe
6008	z88m1jq3dq.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe
Token: SeLoadDriverPrivilege	3744	powershell.exe
Token: SeSystemProfilePrivilege	3744	powershell.exe
Token: SeSystemtimePrivilege	3744	powershell.exe
Token: SeProfSingleProcessPrivilege	3744	powershell.exe
Token: SeIncBasePriorityPrivilege	3744	powershell.exe
Token: SeCreatePagefilePrivilege	3744	powershell.exe
Token: SeBackupPrivilege	3744	powershell.exe
Token: SeRestorePrivilege	3744	powershell.exe
Token: SeShutdownPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeSystemEnvironmentPrivilege	3744	powershell.exe
Token: SeRemoteShutdownPrivilege	3744	powershell.exe
Token: SeUndockPrivilege	3744	powershell.exe
Token: SeManageVolumePrivilege	3744	powershell.exe
Token: 33	3744	powershell.exe
Token: 34	3744	powershell.exe
Token: 35	3744	powershell.exe
Token: 36	3744	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5820 wrote to memory of 4468	5820	cmd.exe	82
PID 5820 wrote to memory of 4468	5820	cmd.exe	82
PID 5820 wrote to memory of 6008	5820	cmd.exe	83
PID 5820 wrote to memory of 6008	5820	cmd.exe	83
PID 5820 wrote to memory of 6008	5820	cmd.exe	83
PID 6008 wrote to memory of 4512	6008	z88m1jq3dq.exe	84
PID 6008 wrote to memory of 4512	6008	z88m1jq3dq.exe	84
PID 6008 wrote to memory of 6044	6008	z88m1jq3dq.exe	86
PID 6008 wrote to memory of 6044	6008	z88m1jq3dq.exe	86
PID 4512 wrote to memory of 3744	4512	cmd.exe	87
PID 4512 wrote to memory of 3744	4512	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CraxsR76.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5820
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:6008
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wdir\'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wdir\'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxekifbq.ezn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe

Filesize
560KB

MD5
8b05d89985316bf554044a33ce820378

SHA1
d8487bbb42f29b2eadee0ecee3e56c3c22fa9b23

SHA256
a2c7f34abdda0f648f2d18b2534e5e6e68ee366853ff1b4d40e09554be3dbb42

SHA512
fcb19006a27e91c866b01b88ae1875d488cef3249d2f6ae536ac50889450b761ea2d51535c24c1b1ab147e304d0549a1abd2a2d1ad019e5c1e698778ad4f3511

Download Submit
C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt

Filesize
7KB

MD5
4c8a4f9132354b947054f1c5519c1115

SHA1
7d8cf865c02ac7a2c7045ce2a4dac25bfa484876

SHA256
3bc2e42614002c7b2c1503bc79c14351af778d545fc854d4225a541f6e51c6b5

SHA512
1e6fba390a33fc4644746b0d4503792229c453dad870a43b38c217c90ccd80e478cb68274e18d1cc1f02a6473d221a1e91303caad1b8aa68c4205adccc15851e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt

Filesize
750KB

MD5
10c4f20db1e13a3f88cc389711fe0ec9

SHA1
296599a4d1c3ae0f855840f22a233bb7572e7471

SHA256
7d41cc6ca6a26da1990ca4284f5e2003d27d9da24ae04c71a27d5aa789cb7ddd

SHA512
da13f0b93402bf9f51399dc4379698c0e9d718a4121ff1fe6790901ce7403445b92589a6d2e815df6e57a64aeab4ccf12f933a31fff402a80b8eeb8b78645e85

Download Submit
memory/3744-985-0x000001ECB7100000-0x000001ECB7122000-memory.dmp

Filesize
136KB

Download
memory/6044-962-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/6044-975-0x0000000002470000-0x00000000024E5000-memory.dmp

Filesize
468KB

Download
memory/6044-971-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/6044-970-0x0000000002470000-0x00000000024E5000-memory.dmp

Filesize
468KB

Download
memory/6044-963-0x0000000002470000-0x00000000024E5000-memory.dmp

Filesize
468KB

Download
memory/6044-988-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads