Overview

overview

10

Static

static

10

9b2d36be59...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2025, 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b2d36be5948b2c1a7827119a94365c0beb7a07bfccdda9f0b504a4b7cf9c9e7.exe

  • Size

    4.0MB

  • MD5

    23c0d50441149bf11a21e63a50828ef5

  • SHA1

    77c2ea87d63f5d49a6ea6e793ebf4b17f31cb5b3

  • SHA256

    9b2d36be5948b2c1a7827119a94365c0beb7a07bfccdda9f0b504a4b7cf9c9e7

  • SHA512

    d88b0c48fa92da2bd2899c36624148bd40f2e0221bff33d982091545e1e0a6b01ea34933adc3f9e1b1e1c507de70f38fd83a015072a14390d38bd05e556bf5ae

  • SSDEEP

    49152:9krvZq79gUpgKl/kdZMW/sIhN6hZATobIxcjVQO3uuA:dv9hW/9N6hCobGcj5e

Score
10/10
darkvisionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

toolsdns.ddns.net

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b2d36be5948b2c1a7827119a94365c0beb7a07bfccdda9f0b504a4b7cf9c9e7.exe
    "C:\Users\Admin\AppData\Local\Temp\9b2d36be5948b2c1a7827119a94365c0beb7a07bfccdda9f0b504a4b7cf9c9e7.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of WriteProcessMemory
    PID:5564
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\rnicrosofts'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\rnicrosofts'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5488
    • C:\ProgramData\rnicrosofts\rnicrosofts.exe
      "C:\ProgramData\rnicrosofts\rnicrosofts.exe" {8FBB9D3A-8CD2-453E-A8F7-953457305514}
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\rnicrosofts'
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\rnicrosofts'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4736
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\rnicrosofts\rnicrosofts.exe
    Filesize

    4.0MB

    MD5

    23c0d50441149bf11a21e63a50828ef5

    SHA1

    77c2ea87d63f5d49a6ea6e793ebf4b17f31cb5b3

    SHA256

    9b2d36be5948b2c1a7827119a94365c0beb7a07bfccdda9f0b504a4b7cf9c9e7

    SHA512

    d88b0c48fa92da2bd2899c36624148bd40f2e0221bff33d982091545e1e0a6b01ea34933adc3f9e1b1e1c507de70f38fd83a015072a14390d38bd05e556bf5ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    fd9152fd0fab56908fe168af91a08303

    SHA1

    e4e64d449aaae4e5cda388fc492ff8ee0878af24

    SHA256

    a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

    SHA512

    c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfczy3wv.qj5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4320-89-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-85-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-93-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-92-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-91-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-90-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-95-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-88-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-86-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-94-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-84-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-83-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-82-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-81-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4320-80-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4320-9-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4320-8-0x00007FF7CA6B0000-0x00007FF7CAAB2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-52-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-50-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-58-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-67-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-57-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-59-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-56-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-55-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-53-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-48-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-51-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-49-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-47-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-46-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-45-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-44-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-43-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-42-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-41-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-40-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-54-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-23-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4652-79-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-32-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-33-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-34-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-35-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-37-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-38-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-39-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-31-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-36-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4652-25-0x0000000002FA0000-0x00000000033A2000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5488-64-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5488-18-0x000001649D9E0000-0x000001649DA02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5488-12-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5488-11-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5488-10-0x00007FFE55150000-0x00007FFE55345000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5564-1-0x00007FFE551F0000-0x00007FFE551F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5564-0-0x00007FF6E5E20000-0x00007FF6E6222000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5564-7-0x00007FF6E5E20000-0x00007FF6E6222000-memory.dmp

    Filesize

    4.0MB

    Download