Overview

overview

10

Static

static

10

72c704ce89...e1.exe

windows7-x64

10

72c704ce89...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe

  • Size

    4.1MB

  • MD5

    929f19e57b30f2d144df83fa0b1efeee

  • SHA1

    240655dd6ba465964c5a7551e7dcd0aa9b86eec6

  • SHA256

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

  • SHA512

    407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8

  • SSDEEP

    49152:2cGISHmeux/2ueo7KX26WugPDCx5cWHiL7PCSUaDv/xOdv:UPHFRJg+3cC87PCD2BOt

Score
10/10
darkvisionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

powernmoney.ddns.net

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 31 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
    "C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1136
    • C:\ProgramData\explorers\explorers.exe
      "C:\ProgramData\explorers\explorers.exe" {5697EAB0-86D6-4B52-825F-6D2297C291E6}
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        PID:232
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:868
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3120
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1872
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1088
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4648
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:5064
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3756
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2680
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2316
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3408
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:404
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1952
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4888
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4440
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:936
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:212
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4308
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3772
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:5080
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1536
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:872
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1280
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3016
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:776
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4052
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4848
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1744
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4472
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4508
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4948
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\explorers\explorers.exe
    Filesize

    4.1MB

    MD5

    929f19e57b30f2d144df83fa0b1efeee

    SHA1

    240655dd6ba465964c5a7551e7dcd0aa9b86eec6

    SHA256

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

    SHA512

    407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8

    Download Submit

  • C:\ProgramData\{F5793314-B631-4CD1-A887-5FEF46A1029C}\{1BB7ADF2-790D-45BD-B5C1-051705E06510}.bat
    Filesize

    105B

    MD5

    925d217185307c285570f80ec506aeae

    SHA1

    9e2d7ea7d127aa62c60251cea7a8c6c7560abd72

    SHA256

    9c3df114848f2fc3edc9758b0aad34554757d5e81d63756e18b8de67bb5c1fc4

    SHA512

    4a5544460f7c44c6bdfc8f8fe21b0bd75d84a9e14e50dff2898ee0274bba1471deefa2707d6348bfd50298b05f5641b512649809aa278fb050721513a3256f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqu2c40h.omp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    60d58c79b2aaa0bddff16dc3598ac874

    SHA1

    d1d760613d30ee8814f689d0ba1002710123270d

    SHA256

    2273de2403f651b1ed0493af3776bef5a38f4d3a8e96e2d4003a8ae36e204743

    SHA512

    f756e2a03f0d770535695e8d0ec62f1f36ffb499ec9ad4bdf15729a7aea6b238b5e97aead83a45c40043f424e81fb4ebecf0a58781b2723e4ff492a03b4f83f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    9f1383c34de0bdb716ea7331a569ddc5

    SHA1

    f444f7f821d9474a3c554248dfa4b30e1f070d71

    SHA256

    f0338eb1fba8a9a69f81749d74d517aaf2a23d130c6642eab08d26ec98dd1cb7

    SHA512

    5a423004f56d3b8d0e4cf364ed1502ff213bd57c776494de5de2bf22800bc4d6daddfacfd9cf778be53efcf77769245f38c928a5e73c09bc1cae67a4977987d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    56f85f479a6cea16561b6f6fe47d3c6f

    SHA1

    45474328add6b1abcd6a04eb2c6614ad6fb77c12

    SHA256

    a5d6749123706241c60a222569b97e3e5017c772171e9ef5453d5ecd4e5f8a91

    SHA512

    476dacb2591661d4dfbdc8f8ce969e4560483af54b580bf5a4f902966293c60cba37d425b835b8763b036505bbe4c6668be24d877cf8cbd4247ba3c94f8183c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    67ce615b9f647c5af192b2becf5dd4ea

    SHA1

    b568284087d2c9b8d110c3aabc6807b1f6c6ba18

    SHA256

    15998be569e7a353138f1127ff7146928a37bd433a1504ab6f22bf0ee4b658aa

    SHA512

    2de5107d1b27764d4838e5332c18732b8a915ec22b07a1f0f87a01940bd50e473f36b65733583300d75ad2cfff3a64934724da9321096a39c16b352b276c817d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    1fa2427a624fdb41777a3dc7709cedcf

    SHA1

    9c6b10d8cfb0b7cb41daf397c821bd05745ae7d9

    SHA256

    11b6cbd8452308dc24ff4c63b213bb9f2be7f8a739ffab8b1622bedc46524887

    SHA512

    1dbc53ebb93cd6f1935d67849e32cb69e411c643d635ff47a26e1e2fa43deb647c8302d1f958e343580d26ca7d7a901b54acb134e67ec1fd5e56c7451a8eb143

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    aa0bc17c8334ce0c995adbf25f2e1f47

    SHA1

    22eaa3d66760e3875e430adb218f56e3d5a11d8b

    SHA256

    14d07a08806af282a00a5a333a52710190d60e15c53d94601cf43cd66f1ffc07

    SHA512

    d7b8eb4e9080449dfedd36a59b1f602ec2ba331c5d05e03b5f83e003a2f5cb06142719db769acbac11343a6cb5c78bd04d182f0af1ef332353010b286f59e62f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    bb3a7a2f26ac22fdf20c08a94499e9aa

    SHA1

    93505e0f38a07bae95cc0ff9ddc75eac02faa9f7

    SHA256

    f4900e7f88a853a9989fec3321f6c216b82b05df22a1eef08d13f7d4a3a286c8

    SHA512

    18ff6f9a17f113d5deb018a00981e76ea6811a596d037cd5c8635f40a2a5add591e81e3de3e69cfdcfe69978514d5d7fa610d6e294cc51ad1c3c5ee3f02643a0

    Download Submit

  • memory/232-44-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-35-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-57-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-56-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-54-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-53-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-52-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-51-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-49-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-48-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-47-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-50-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-46-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-26-0x0000000000930000-0x0000000000931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/232-43-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-42-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-39-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-38-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-37-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-55-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-45-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-41-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-40-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-36-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-34-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-72-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/232-27-0x0000000002D90000-0x00000000031AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/440-9-0x00007FF6E1090000-0x00007FF6E14AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/440-0-0x00007FF6E1090000-0x00007FF6E14AE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/440-1-0x00007FFD07CF0000-0x00007FFD07CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/868-96-0x000002670A3A0000-0x000002670A7BE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1016-8-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1016-6-0x00007FF71C850000-0x00007FF71CC6E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1016-165-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1016-136-0x00007FF71C850000-0x00007FF71CC6E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1136-12-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1136-11-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1136-10-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1136-22-0x000001D6C3620000-0x000001D6C3642000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1136-25-0x00007FFD07C50000-0x00007FFD07E45000-memory.dmp

    Filesize

    2.0MB

    Download