Analysis
-
max time kernel
35s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-06-2021 19:48
Static task
static1
Behavioral task
behavioral1
Sample
idu567.tmp.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
idu567.tmp.dll
-
Size
1.6MB
-
MD5
18c3793f2df5ae48b55a9a1825b1c1fb
-
SHA1
8e90dc300bb91dd6ce57566116b156e3473cf646
-
SHA256
43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
-
SHA512
1ebe4bbb0fd571e5d712e52b47012de1eb587008a59e1e1f3fe69ae8a9637e5466d9d8c2c0887d733734f77909e5530307c564b2218b895b88657455e49a47a0
Malware Config
Signatures
-
DarkVNC Payload 3 IoCs
resource yara_rule behavioral2/memory/4868-115-0x0000000073660000-0x00000000736EA000-memory.dmp darkvnc behavioral2/memory/4868-116-0x0000000073660000-0x00000000738A3000-memory.dmp darkvnc behavioral2/memory/2432-121-0x00000195FA8A0000-0x00000195FAB99000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4868 set thread context of 2432 4868 rundll32.exe 79 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4868 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4796 wrote to memory of 4868 4796 rundll32.exe 69 PID 4796 wrote to memory of 4868 4796 rundll32.exe 69 PID 4796 wrote to memory of 4868 4796 rundll32.exe 69 PID 4868 wrote to memory of 2432 4868 rundll32.exe 79 PID 4868 wrote to memory of 2432 4868 rundll32.exe 79 PID 4868 wrote to memory of 2432 4868 rundll32.exe 79 PID 4868 wrote to memory of 2432 4868 rundll32.exe 79 PID 4868 wrote to memory of 2432 4868 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:2432
-
-