darkvision | 525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51

General

Target

PO202503D.xlsm
Size

36KB
MD5

7928d4da38767e17b693dc1c3b12376b
SHA1

b357c6211bbf9b463553d5137aac957fbd9b0868
SHA256

525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51
SHA512

a3820c8bf86d3b29c781e28504e745d15e100a1e962c39f9f9d9185461f67233ef211c52b01c389b34fcc66876b22e22c122989c6a93ce885c3599f4650842ee
SSDEEP

768:hSfin4o5bHOKLIsbWyi14m1xMeJodBTFRiARLVgqKM2kqioUuV2SB:hSfiNbLRbjcBJo9RiCf3qiXuZ

Score

10^/10

darkvision execution persistence rat

Malware Config

Extracted

Family

darkvision

C2

myasyncrat.ddns.net

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	400	228	7z.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	620	228	regsvr32.exe	83

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4460	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4440	PO202502DAKE.exe

Loads dropped DLL 2 IoCs

pid	Process
4440	PO202502DAKE.exe
4440	PO202502DAKE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO202502DAKE = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\SystemRootDoc\" \"C:\\Users\\Admin\\SystemRootDoc\\PO202502DAKE.exe\""	PO202502DAKE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 3684	4440	PO202502DAKE.exe	102

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
228	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	powershell.exe
4460	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	400	7z.exe
Token: 35	400	7z.exe
Token: SeSecurityPrivilege	400	7z.exe
Token: SeSecurityPrivilege	400	7z.exe
Token: SeDebugPrivilege	4440	PO202502DAKE.exe
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 400	228	EXCEL.EXE	96
PID 228 wrote to memory of 400	228	EXCEL.EXE	96
PID 228 wrote to memory of 620	228	EXCEL.EXE	98
PID 228 wrote to memory of 620	228	EXCEL.EXE	98
PID 228 wrote to memory of 4440	228	EXCEL.EXE	99
PID 228 wrote to memory of 4440	228	EXCEL.EXE	99
PID 4440 wrote to memory of 4460	4440	PO202502DAKE.exe	101
PID 4440 wrote to memory of 4460	4440	PO202502DAKE.exe	101
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102
PID 4440 wrote to memory of 3684	4440	PO202502DAKE.exe	102

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO202503D.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\Admin\AppData\Local\Temp\invoice_temp\" "C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SYSTEM32\regsvr32.exe
  "regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
  2⤵
  - Process spawned unexpected child process
  PID:620
- C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe
  "C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\SystemRootDoc' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzqfijeg.tj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe

Filesize
62KB

MD5
fd3c8166e7fbbb64d12c1170b8f4bacf

SHA1
dc8d7acb3f6dfd990f20ec02675c5d92fd674428

SHA256
a52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b

SHA512
7caf92d9d44e0e6026cd9115c8c6f3026e5074adfe27af353ad9a6a780bdbd5d07cc0a93c16cc8ca4cc08fe11cf116cd0a6e14ad4af80d550cf71085a853fad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip

Filesize
1.9MB

MD5
427568b60bc14283e2bae0c4aff1775d

SHA1
1c7f0a258ab9e8883df9eed025ef14db6fb913d5

SHA256
e32d30e690548e5727082538d480cc378644db1c98cce3a063f69569d7fd60b2

SHA512
51b76747aee8438147451d85470be13bc6b6e10803565d2b5a0b77e826cda6c87505db33185252c058c77ac7c2e2fd4daf4fae01b295fe6cf447040088594426

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\libcares-2.dll

Filesize
1.9MB

MD5
49abecb8967a527f3f8b5493f0f82820

SHA1
31b535360199e41ae87111b36f9ef97977b3d9c6

SHA256
17f1ca60b529a4617fdd64bdf686b78f704abbe6d19b69c109bffd352ac9503c

SHA512
614593697a2acd897331595cc56164601528c03be6966aa599e2f541276ea71fdcc547195534119904da921b5fa9f8c5e14777c126aa6827be57b2b406d19be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\msvcp290.dll

Filesize
1.8MB

MD5
e0d6e35a1b29a6dded46532ea4331ef9

SHA1
be78ee87b098d864eb55a462e09dcf6a137facdd

SHA256
c3199ea2ea2f310180cf52f835b7534d12df3ab1a7b695259b35e3bf411cfb56

SHA512
124dcaabb16eb4d521bc3eeb08dbbd45c9eb750e11f67a0654903a0b62e19875832706b4ebb619c2cca3b68d88e47edd4c63079b0b788ea723bf10b3a5ec0298

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll

Filesize
453KB

MD5
b5f2411d0ab5cfbec4de2b5292ce34d2

SHA1
14c455a55bc0a32572ff24362fa176c61abd8be7

SHA256
7f49b5cb029653dee44791f5309830e94c03a3e4da53bffa03192e48ab5bcbc9

SHA512
92201c5663f3b77aa97d512cc7810b6dab2243457bc7d0bf648589eacddfb8790aaba45e3826cd57edcfba5fca5212028ef8ef512f903b929a7fe29481541b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice_temp\vcruntime210.dll

Filesize
1KB

MD5
0e73abcdf363b934cb65da5ecc71233c

SHA1
1e3c77c3f091bdf7ce1e9edacd5dd733bcb3948a

SHA256
45edcd7e15993dc3bde1cbbb3f2926cc6fabc45390eebd17c730e60ab13707b5

SHA512
1d09d77b46c510c2641548aefb799326c68a15a80436ca1fba8638fa8c0ac50469b01303eadbd5406dae63c5c2f39c52a99e6238b1edfbb2c9ac1f77962cd29e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
679B

MD5
f8d58bee2132e32245edd5171d8ca683

SHA1
529fa870ba7973c35281251e4ecd0f1ac298bba1

SHA256
fec2ccedef389bcf2bfe6e980879a5cd9185434fc8e4094478bc6b5e90dfbab9

SHA512
7fb4911a6fb47c30a6d0a500a8c7a57d44b9d7a3972038f9b1ab930d7eff487c826cfa83dc2d2db4cf436c82d5f757f4163f3f44adc592c2f80e767f8df21e6c

Download Submit
memory/228-51-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-5-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-12-0x00007FFEEF730000-0x00007FFEEF740000-memory.dmp

Filesize
64KB

Download
memory/228-9-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-8-0x00007FFEF18F0000-0x00007FFEF1900000-memory.dmp

Filesize
64KB

Download
memory/228-13-0x00007FFEEF730000-0x00007FFEEF740000-memory.dmp

Filesize
64KB

Download
memory/228-14-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-28-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-39-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-40-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-41-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-42-0x00007FFF3190D000-0x00007FFF3190E000-memory.dmp

Filesize
4KB

Download
memory/228-0-0x00007FFEF18F0000-0x00007FFEF1900000-memory.dmp

Filesize
64KB

Download
memory/228-68-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-75-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-10-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-7-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-11-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-6-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-4-0x00007FFEF18F0000-0x00007FFEF1900000-memory.dmp

Filesize
64KB

Download
memory/228-2-0x00007FFEF18F0000-0x00007FFEF1900000-memory.dmp

Filesize
64KB

Download
memory/228-1-0x00007FFF3190D000-0x00007FFF3190E000-memory.dmp

Filesize
4KB

Download
memory/228-139-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-137-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-119-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-136-0x00007FFF31870000-0x00007FFF31A65000-memory.dmp

Filesize
2.0MB

Download
memory/228-3-0x00007FFEF18F0000-0x00007FFEF1900000-memory.dmp

Filesize
64KB

Download
memory/3684-117-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/3684-138-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/3684-115-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/3684-116-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4440-118-0x00007FF6AD1F0000-0x00007FF6AD205000-memory.dmp

Filesize
84KB

Download
memory/4460-125-0x000001B175580000-0x000001B1755A2000-memory.dmp

Filesize
136KB

Download
memory/4460-132-0x000001B1755B0000-0x000001B1755F8000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads