darkvision | 0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47

Analysis

max time kernel
113s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STUB.exe
Size

276KB
MD5

a5772b2f2d542f4b9c8b470ffc6dc8aa
SHA1

1b06cc73448b6ac1cbd9a65d3a7272f498f0d7d6
SHA256

0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47
SHA512

5e67d9cc0fda9f87d3b7ea0fd39d9d5130d3b2cd4f0c40a7b2aefe347c7b070f262bb43cb5477c26d01050fedaaa01c9cfa39c64ef3bdd18f6b892a7e8d8503e
SSDEEP

3072:rrDyh1bdjkWxF/1PVg88WRhgEr1yNhT2xE/3MW7o4+W95nBkBPV5Epr1R:uhhJDFgX3Er8PTAE/3JR52Va

Score

10^/10

darkvision rat

Malware Config

Extracted

Family

darkvision

147.185.221.24

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	admin.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	admin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2436	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1360	STUB.exe
1360	STUB.exe
1360	STUB.exe
1360	STUB.exe
2480	admin.exe
2480	admin.exe
2480	admin.exe
2480	admin.exe
2480	admin.exe
2480	admin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	STUB.exe
Token: SeDebugPrivilege	2480	admin.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2480	1360	STUB.exe	83
PID 1360 wrote to memory of 2480	1360	STUB.exe	83

C:\Users\Admin\AppData\Local\Temp\STUB.exe
"C:\Users\Admin\AppData\Local\Temp\STUB.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\ProgramData\Server\admin.exe
  "C:\ProgramData\Server\admin.exe" {8CD74CEB-EB0C-4B9F-AB18-236234CBF3C0}
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OptimizeAdd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OptimizeAdd.bat" "
1⤵
PID:2440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x500
1⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OptimizeAdd.bat" "
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Server\admin.exe

Filesize
276KB

MD5
a5772b2f2d542f4b9c8b470ffc6dc8aa

SHA1
1b06cc73448b6ac1cbd9a65d3a7272f498f0d7d6

SHA256
0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47

SHA512
5e67d9cc0fda9f87d3b7ea0fd39d9d5130d3b2cd4f0c40a7b2aefe347c7b070f262bb43cb5477c26d01050fedaaa01c9cfa39c64ef3bdd18f6b892a7e8d8503e

Download Submit