darkvision | 013425ffb967f37556591d596ac033ae3a7ad466c512c32685e0cd960fbe670f

General

Target

adig.exe
Size

780KB
MD5

7ad31c28848f1ff2193f807cb3deaaf9
SHA1

ed58fcebec0ecb5921a3a8f8e1a1647cddfefcfb
SHA256

013425ffb967f37556591d596ac033ae3a7ad466c512c32685e0cd960fbe670f
SHA512

7fd16fd547c86f34f1591bdd2cefc4fb42d6893611e43050519f09e6661a3c02404d308aa4d886e3a2b44859e96700ca1603dd636a631ebcd0dcea3fe733a5a0
SSDEEP

24576:VHHiWcxah9JB/OrWaQ47IbQuLVUpuWsZo:VHHiXahLBWrW58uLVU/sG

Score

10^/10

darkvision execution persistence rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
1424	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	defender.exe

Executes dropped EXE 4 IoCs

pid	Process
5104	000003c00029.exe
4972	defender.exe
3456	000003c00029.exe
5020	defender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateService = "C:\\Users\\Admin\\Documents\\App\\000003c00029.exe"	adig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1424	powershell.exe
1424	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeIncreaseQuotaPrivilege	1424	powershell.exe
Token: SeSecurityPrivilege	1424	powershell.exe
Token: SeTakeOwnershipPrivilege	1424	powershell.exe
Token: SeLoadDriverPrivilege	1424	powershell.exe
Token: SeSystemProfilePrivilege	1424	powershell.exe
Token: SeSystemtimePrivilege	1424	powershell.exe
Token: SeProfSingleProcessPrivilege	1424	powershell.exe
Token: SeIncBasePriorityPrivilege	1424	powershell.exe
Token: SeCreatePagefilePrivilege	1424	powershell.exe
Token: SeBackupPrivilege	1424	powershell.exe
Token: SeRestorePrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeSystemEnvironmentPrivilege	1424	powershell.exe
Token: SeRemoteShutdownPrivilege	1424	powershell.exe
Token: SeUndockPrivilege	1424	powershell.exe
Token: SeManageVolumePrivilege	1424	powershell.exe
Token: 33	1424	powershell.exe
Token: 34	1424	powershell.exe
Token: 35	1424	powershell.exe
Token: 36	1424	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5484 wrote to memory of 1424	5484	adig.exe	82
PID 5484 wrote to memory of 1424	5484	adig.exe	82
PID 5484 wrote to memory of 5104	5484	adig.exe	95
PID 5484 wrote to memory of 5104	5484	adig.exe	95
PID 5104 wrote to memory of 4972	5104	000003c00029.exe	96
PID 5104 wrote to memory of 4972	5104	000003c00029.exe	96
PID 5032 wrote to memory of 3456	5032	cmd.exe	97
PID 5032 wrote to memory of 3456	5032	cmd.exe	97
PID 3456 wrote to memory of 5020	3456	000003c00029.exe	98
PID 3456 wrote to memory of 5020	3456	000003c00029.exe	98

C:\Users\Admin\AppData\Local\Temp\adig.exe
"C:\Users\Admin\AppData\Local\Temp\adig.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\App'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Users\Admin\Documents\App\000003c00029.exe
  "C:\Users\Admin\Documents\App\000003c00029.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Roaming\defender\defender.exe
    "C:\Users\Admin\AppData\Roaming\defender\defender.exe" {D21DBE81-1D94-4C51-8C7C-553B348C2AB9}
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\App\000003c00029.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\Documents\App\000003c00029.exe
  C:\Users\Admin\Documents\App\000003c00029.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Users\Admin\AppData\Roaming\defender\defender.exe
    "C:\Users\Admin\AppData\Roaming\defender\defender.exe" {D21DBE81-1D94-4C51-8C7C-553B348C2AB9}
    3⤵
    - Executes dropped EXE
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ankyurct.klf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\App\000003c00029.exe

Filesize
489KB

MD5
15fd5c7d27c1159f2e0b3d5390cc7ec5

SHA1
2aa47c93a9f39d4972354c7aa7364bd872063bc8

SHA256
ed8c6b20e7465732decc3cf2ea073eea6d4915bcfd3ca5546847489153917f0e

SHA512
86c22f92afa6f4d13bade402f77903b81f2a302103a784aceced83c631cd2e8d67d531a40a512cf0b0eb52e7cddf71a555c80680add1f77f68d3d884637b1802

Download Submit
memory/1424-0-0x00007FFC665B3000-0x00007FFC665B5000-memory.dmp

Filesize
8KB

Download
memory/1424-7-0x00000123B0690000-0x00000123B06B2000-memory.dmp

Filesize
136KB

Download
memory/1424-11-0x00007FFC665B0000-0x00007FFC67072000-memory.dmp

Filesize
10.8MB

Download
memory/1424-12-0x00007FFC665B0000-0x00007FFC67072000-memory.dmp

Filesize
10.8MB

Download
memory/1424-13-0x00007FFC665B0000-0x00007FFC67072000-memory.dmp

Filesize
10.8MB

Download
memory/1424-14-0x00007FFC665B0000-0x00007FFC67072000-memory.dmp

Filesize
10.8MB

Download
memory/1424-17-0x00007FFC665B0000-0x00007FFC67072000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads