Analysis
-
max time kernel
31s -
max time network
54s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-06-2021 19:48
Static task
static1
Behavioral task
behavioral1
Sample
idu567.tmp.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
idu567.tmp.dll
-
Size
1.6MB
-
MD5
18c3793f2df5ae48b55a9a1825b1c1fb
-
SHA1
8e90dc300bb91dd6ce57566116b156e3473cf646
-
SHA256
43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
-
SHA512
1ebe4bbb0fd571e5d712e52b47012de1eb587008a59e1e1f3fe69ae8a9637e5466d9d8c2c0887d733734f77909e5530307c564b2218b895b88657455e49a47a0
Malware Config
Signatures
-
DarkVNC Payload 3 IoCs
resource yara_rule behavioral1/memory/1184-61-0x00000000743A0000-0x000000007442A000-memory.dmp darkvnc behavioral1/memory/1184-62-0x00000000743A0000-0x00000000745E3000-memory.dmp darkvnc behavioral1/memory/1764-67-0x0000000001BF0000-0x0000000001CBA000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1184 set thread context of 1764 1184 rundll32.exe 30 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1184 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1916 wrote to memory of 1184 1916 rundll32.exe 25 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30 PID 1184 wrote to memory of 1764 1184 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:1764
-
-