darkvision | da9761f3f188bfa2208ad076f3f0760e16489add3554cf8e8a9e0a05f09adeb4

Analysis

max time kernel
95s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO690654W226614626001MLCWHKGH10051950.pdf.exe
Size

407KB
MD5

11707e7d4128ffd80fedf1b8e1ced024
SHA1

b012614b4a5ca83156dda6b06951654650d99738
SHA256

cbeab2846912cb969bf80b60693090f0ce20b288f138e70c3d5f7fc1f981b107
SHA512

0c2e7bd02a7ccf53dcfed6067be2a810a239812b0c91cbca2da8d9d33898122c18e8e48e3fe23e007ca394ee2f158c2e68d9c234201c92b97977c2574e68b8e6
SSDEEP

6144:tkQa+PH+Tp7WmgLhjIpPMrfkZTEOIMqbUn9k1ASrznh8bvBO:tLa+eWYkfkZgOIMcU9k1ASr9U0

Score

10^/10

darkvision rat

Malware Config

Extracted

Family

darkvision

http://servservserv.freewebhostmost.com/upload.php

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5072 created 3456	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	56

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsMailNewsSave.vbs	PO690654W226614626001MLCWHKGH10051950.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe
5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe
5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4424	InstallUtil.exe
4424	InstallUtil.exe
4424	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe
Token: SeDebugPrivilege	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 5072 wrote to memory of 4424	5072	PO690654W226614626001MLCWHKGH10051950.pdf.exe	99
PID 4424 wrote to memory of 3448	4424	InstallUtil.exe	101
PID 4424 wrote to memory of 3448	4424	InstallUtil.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\PO690654W226614626001MLCWHKGH10051950.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PO690654W226614626001MLCWHKGH10051950.pdf.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\EXPLORER.EXE
    C:\Windows\EXPLORER.EXE {37FF5ADC-CFF9-4414-AF00-FCD9639E57BE}
    3⤵
    PID:3448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3448-1354-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4424-1351-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4424-1363-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/5072-1-0x000001D79A030000-0x000001D79A09A000-memory.dmp

Filesize
424KB

Download
memory/5072-0-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

Filesize
8KB

Download
memory/5072-2-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-3-0x000001D7B4830000-0x000001D7B4954000-memory.dmp

Filesize
1.1MB

Download
memory/5072-19-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-23-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-67-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-65-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-61-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-59-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-57-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-53-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-51-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-49-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-47-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-45-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-43-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-41-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-39-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-35-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-33-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-31-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-29-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-27-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-21-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-17-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-15-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-13-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-11-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-9-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-7-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-6-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-63-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-55-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-37-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-25-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-4-0x000001D7B4830000-0x000001D7B494E000-memory.dmp

Filesize
1.1MB

Download
memory/5072-1326-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1327-0x000001D79BD10000-0x000001D79BD8E000-memory.dmp

Filesize
504KB

Download
memory/5072-1328-0x000001D7B5A00000-0x000001D7B5A7A000-memory.dmp

Filesize
488KB

Download
memory/5072-1329-0x000001D79BDA0000-0x000001D79BDEC000-memory.dmp

Filesize
304KB

Download
memory/5072-1330-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1331-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1332-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

Filesize
8KB

Download
memory/5072-1333-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1334-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1335-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1336-0x000001D7B5AF0000-0x000001D7B5B44000-memory.dmp

Filesize
336KB

Download
memory/5072-1343-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1350-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1349-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download