Analysis
-
max time kernel
23s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-07-2021 20:41
Static task
static1
Behavioral task
behavioral1
Sample
zdnDE6F.tmp.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
zdnDE6F.tmp.dll
-
Size
1.3MB
-
MD5
108b97c82934dd23e8d7cd9534ad2685
-
SHA1
991d8933b8afe85c743321050c63c34dad9eb69a
-
SHA256
e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6
-
SHA512
0e902f5e0a34326e14d1df413265fa3057094091897b4e3c3e7e34eec511cfbdf9d99b4a9c1efc537f0ea977c0bcc38683fff9cbb4acb6a25e680c9c0931e0fc
Malware Config
Signatures
-
DarkVNC Payload 3 IoCs
resource yara_rule behavioral2/memory/4076-115-0x00000000741C0000-0x000000007424A000-memory.dmp darkvnc behavioral2/memory/4076-116-0x00000000741C0000-0x00000000743A7000-memory.dmp darkvnc behavioral2/memory/3168-120-0x000001F711930000-0x000001F711C29000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 3168 4076 rundll32.exe 80 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4076 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3904 wrote to memory of 4076 3904 rundll32.exe 70 PID 3904 wrote to memory of 4076 3904 rundll32.exe 70 PID 3904 wrote to memory of 4076 3904 rundll32.exe 70 PID 4076 wrote to memory of 3168 4076 rundll32.exe 80 PID 4076 wrote to memory of 3168 4076 rundll32.exe 80 PID 4076 wrote to memory of 3168 4076 rundll32.exe 80 PID 4076 wrote to memory of 3168 4076 rundll32.exe 80 PID 4076 wrote to memory of 3168 4076 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zdnDE6F.tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zdnDE6F.tmp.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:3168
-
-