darkvision | f1ab614948bc4f083c360d00c8bb928d87d272d0821ae2c9f6428f8851e16c85

Analysis

max time kernel
1151s
max time network
1137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STUB.exe
Size

392KB
MD5

50719aa63a1675c0603d9631fcc29304
SHA1

1c71c81f8f58372ac6ee0ed6dbda3af8052212d0
SHA256

f1ab614948bc4f083c360d00c8bb928d87d272d0821ae2c9f6428f8851e16c85
SHA512

ee8bcd30f6565a3b9e8191db515a19c93ca37ba37812bb1fbf68ce7351b12bda25dd506f139dba3235aca8fea822e29fca81cae5e9fea7ea0c2ae38ba8702e67
SSDEEP

6144:JhhJDFgX3Er8PTAE/3JR5X1q/PjWlsv4JbGN2n24peFpm:ThlFgX3EruRbqils6MoDqA

Score

10^/10

darkvision persistence rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Executes dropped EXE 3 IoCs

pid	Process
1960	Server.exe
3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Srv Dir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Srv Dir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Srv Dir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Srv Dir\\Server.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 5112	1960	Server.exe	85
PID 1960 set thread context of 1356	1960	Server.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3940	STUB.exe
3940	STUB.exe
3940	STUB.exe
3940	STUB.exe
1960	Server.exe
1960	Server.exe
1960	Server.exe
1960	Server.exe
5112	svchost.exe
5112	svchost.exe
5112	svchost.exe
5112	svchost.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	STUB.exe
Token: SeDebugPrivilege	1960	Server.exe
Token: SeDebugPrivilege	5112	svchost.exe
Token: SeDebugPrivilege	1356	explorer.exe
Token: SeDebugPrivilege	3104	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
Token: SeDebugPrivilege	2936	{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
Token: SeDebugPrivilege	3120	taskmgr.exe
Token: SeSystemProfilePrivilege	3120	taskmgr.exe
Token: SeCreateGlobalPrivilege	3120	taskmgr.exe
Token: 33	3120	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3120	taskmgr.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1960	3940	STUB.exe	83
PID 3940 wrote to memory of 1960	3940	STUB.exe	83
PID 1960 wrote to memory of 5112	1960	Server.exe	85
PID 1960 wrote to memory of 5112	1960	Server.exe	85
PID 1960 wrote to memory of 5112	1960	Server.exe	85
PID 1960 wrote to memory of 5112	1960	Server.exe	85
PID 1960 wrote to memory of 1356	1960	Server.exe	86
PID 1960 wrote to memory of 1356	1960	Server.exe	86
PID 1960 wrote to memory of 1356	1960	Server.exe	86
PID 1960 wrote to memory of 1356	1960	Server.exe	86
PID 5112 wrote to memory of 3104	5112	svchost.exe	88
PID 5112 wrote to memory of 3104	5112	svchost.exe	88
PID 1356 wrote to memory of 2936	1356	explorer.exe	89
PID 1356 wrote to memory of 2936	1356	explorer.exe	89

C:\Users\Admin\AppData\Local\Temp\STUB.exe
"C:\Users\Admin\AppData\Local\Temp\STUB.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\ProgramData\Srv Dir\Server.exe
  "C:\ProgramData\Srv Dir\Server.exe" {F6124A99-BA68-4AFE-9171-239E4A01B7D7}
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
      "C:\Users\Admin\AppData\Local\Temp\{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE" {0962B528-F72D-4546-8CCE-2B49C0A0BB20}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3104
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE
      "C:\Users\Admin\AppData\Local\Temp\{2362E680-5F8C-46F5-8D6C-9B0BA8E77CC7}.EXE" {0962B528-F72D-4546-8CCE-2B49C0A0BB20}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Srv Dir\Server.exe

Filesize
392KB

MD5
50719aa63a1675c0603d9631fcc29304

SHA1
1c71c81f8f58372ac6ee0ed6dbda3af8052212d0

SHA256
f1ab614948bc4f083c360d00c8bb928d87d272d0821ae2c9f6428f8851e16c85

SHA512
ee8bcd30f6565a3b9e8191db515a19c93ca37ba37812bb1fbf68ce7351b12bda25dd506f139dba3235aca8fea822e29fca81cae5e9fea7ea0c2ae38ba8702e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ECE80711-720C-4929-8B8A-8C1A76FB9D04}

Filesize
277KB

MD5
2982b34b78f375e95e35ebef76106abe

SHA1
c8e6ca1074d192181e884bda7eb972d1044dfe8c

SHA256
2c21b4a68d2c0e5f13589187bb328a3753e74db6846b50dffde5b6c4b7d5c2ac

SHA512
1323fcf27fdb27cc652f43a89967caec71387bf99193ae49e0fc2157cffc5dfb0e28fc46a74a66d4f2693c9846928a76ad9f8432a2f1ffffa695e35b55cd5933

Download Submit
memory/1356-36-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-35-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-49-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-22-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-47-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-45-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-38-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-39-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/1356-37-0x00000000028E0000-0x000000000292C000-memory.dmp

Filesize
304KB

Download
memory/3120-63-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-62-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-61-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-65-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-55-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-56-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-64-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-67-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-66-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/3120-57-0x0000016A034E0000-0x0000016A034E1000-memory.dmp

Filesize
4KB

Download
memory/5112-32-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-51-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-53-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-52-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-42-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-30-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-31-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-33-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-34-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-9-0x00000204E4F60000-0x00000204E4FAC000-memory.dmp

Filesize
304KB

Download
memory/5112-6-0x00000204E4E20000-0x00000204E4E22000-memory.dmp

Filesize
8KB

Download
memory/5112-5-0x00000204E4DD0000-0x00000204E4E11000-memory.dmp

Filesize
260KB

Download