Overview

overview

10

Static

static

10

72c704ce89...e1.exe

windows7-x64

10

72c704ce89...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe

  • Size

    4.1MB

  • MD5

    929f19e57b30f2d144df83fa0b1efeee

  • SHA1

    240655dd6ba465964c5a7551e7dcd0aa9b86eec6

  • SHA256

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

  • SHA512

    407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8

  • SSDEEP

    49152:2cGISHmeux/2ueo7KX26WugPDCx5cWHiL7PCSUaDv/xOdv:UPHFRJg+3cC87PCD2BOt

Score
10/10
darkvisionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

powernmoney.ddns.net

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 31 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe
    "C:\Users\Admin\AppData\Local\Temp\72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
    • C:\ProgramData\explorers\explorers.exe
      "C:\ProgramData\explorers\explorers.exe" {5697EAB0-86D6-4B52-825F-6D2297C291E6}
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\explorers'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:676
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        PID:2420
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4904
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:5032
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2928
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4844
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2148
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3836
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:680
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3660
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3808
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:676
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3000
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3188
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1060
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1736
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2688
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4860
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3208
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:216
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3464
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3056
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3212
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1596
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2028
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3444
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3448
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4528
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:456
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:800
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:824
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1740
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\explorers\explorers.exe
    Filesize

    4.1MB

    MD5

    929f19e57b30f2d144df83fa0b1efeee

    SHA1

    240655dd6ba465964c5a7551e7dcd0aa9b86eec6

    SHA256

    72c704ce89bd5a7fb3d10caba3ac0bdfa0b900242ed810f506f0433f80bb7ee1

    SHA512

    407420916228bbfb869f5a2e265f5a3a4a2044c1f5454dc99fc631ca873d92fadc5dbe815d7bf91b70e0c420d5c09618fb69dbd191334626babda1e50daa07f8

    Download Submit

  • C:\ProgramData\{F5793314-B631-4CD1-A887-5FEF46A1029C}\{1BB7ADF2-790D-45BD-B5C1-051705E06510}.bat
    Filesize

    105B

    MD5

    925d217185307c285570f80ec506aeae

    SHA1

    9e2d7ea7d127aa62c60251cea7a8c6c7560abd72

    SHA256

    9c3df114848f2fc3edc9758b0aad34554757d5e81d63756e18b8de67bb5c1fc4

    SHA512

    4a5544460f7c44c6bdfc8f8fe21b0bd75d84a9e14e50dff2898ee0274bba1471deefa2707d6348bfd50298b05f5641b512649809aa278fb050721513a3256f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    fd9152fd0fab56908fe168af91a08303

    SHA1

    e4e64d449aaae4e5cda388fc492ff8ee0878af24

    SHA256

    a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

    SHA512

    c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrcsmb1j.pn2.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    4fe769e9f5292d4702b14f3ceb89a164

    SHA1

    68b3feec3413f112bd7d7fce1f96bca741194e6e

    SHA256

    35e57106cef2e3732c4d3aad48878b35b7234e96c634b3c3c2af782ef003cf60

    SHA512

    3d54899cc5f6a62b19d933da4a3b8f607a26307e34f8d82cb67cec00fbfda5df08a1568fc08d2bca3db8e7b262d6dbcc195fa323c2ee6d108b6dd8a97ad92a74

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    8692a002972f5775c1434e48efc8d008

    SHA1

    8c24770f59921bccde71da27a328773aa49d5274

    SHA256

    d37f1c65bb8866874ca1ab4fa6b448502087c5e412a142a2e0dd20e072879de2

    SHA512

    87c0324c860a2761f19908c19d8a8407bb9d4725578b6de322374c902a0e5f87e06ab10016f202fe079fbfa268f6d383f24cfb55b9cec594f133d7367620ff9a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    2daac29edfc10d318ebbce7687294963

    SHA1

    39739bbeb6ab50deade5ccdc936083a3764a7a38

    SHA256

    694539d8c5e9984ce6262e5d52f36f388bfa1f11ea4a37f689b781c6973cb38a

    SHA512

    5faf35aecbb73cceb778e3f7a43e1601857d3525b6e67bb1d98ee6887a40263bb931a83a19c64447b66a7eb798a735289300fcb88887380964b57754d4558cbf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    76dce49d1cdd89b2b0ccf04002acac99

    SHA1

    8835dbfbcc9c35f095d98e0c701bb2b7caed14ba

    SHA256

    3a4bc13c8e6d881cd7a4ae92915ba783e7b5c424df63ab558ec53a1bb94bddb2

    SHA512

    51c88a46fb3198bcff03027326ecc1b41ce07dd2e44585f6b7ad1281d7fc3cd672943331b7a2781bd230d628cea95abbfcb9daa807e53020e8ded7b9ac9885ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{3170EC04-83DB-4D95-A866-F665F781749F}.lnk
    Filesize

    1KB

    MD5

    7550389e0f07d84fd39249343ce6e51b

    SHA1

    805e9ef2aa360c87610172d2a56886187a409544

    SHA256

    382c7caf686cb5c9b449e25c745580638ef4e99ea4cfdb95bfca981bb3dee2a7

    SHA512

    29c80cbd8cbefb3ae56249e12b2cda60f68e73be8b1574df755a48bfede1b7b7672ff83c83d6aae413d18e6632dc69ebfa5b856a776223a2470ad4fdc98b4674

    Download Submit

  • memory/1936-18-0x000001A0D5390000-0x000001A0D53B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1936-12-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1936-11-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1936-66-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1936-10-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2420-45-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-32-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-49-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-48-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-46-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-44-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-42-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-41-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-52-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-43-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-39-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-38-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-37-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-35-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-34-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-33-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-36-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-51-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-31-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-70-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-23-0x0000000000A40000-0x0000000000A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-24-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-40-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-47-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-54-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-53-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2420-50-0x0000000002BB0000-0x0000000002FCE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2884-208-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2884-164-0x00007FF601DB0000-0x00007FF6021CE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2884-6-0x00007FF601DB0000-0x00007FF6021CE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2884-9-0x00007FFD83610000-0x00007FFD83805000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4904-97-0x0000022C302A0000-0x0000022C306BE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4940-0-0x00007FF76B9E0000-0x00007FF76BDFE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4940-1-0x00007FFD836B0000-0x00007FFD836B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4940-8-0x00007FF76B9E0000-0x00007FF76BDFE000-memory.dmp

    Filesize

    4.1MB

    Download