Analysis

  • max time kernel
    21s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-07-2021 09:07

General

  • Target

    usfive_20210718-090922.exe

  • Size

    499KB

  • MD5

    982f58d704d00ef6fa9a90d3fee6b98b

  • SHA1

    810959da0fdbd7667a5356282b1e9bb2bdb21d72

  • SHA256

    86b3b60d044d90b22c1285027ad44cc36b3c83ab2c4174fb92ef07cbe1d76cac

  • SHA512

    0d19255e57b3eb47fa42c6b1fec153f5926b0043ae8ed939ef9df1d16bc145928d0ab824091bb39b5e597c6c8efcf41a0fa4cdc9870569889e7ea680b014e065

Malware Config

Signatures

  • DarkVNC

    DarkVNC is a malicious version of the famous VNC software.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • DarkVNC Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe
    "C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Users\Admin\AppData\Local\Temp\ioTH8HtNXY.exe
      "C:\Users\Admin\AppData\Local\Temp\ioTH8HtNXY.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        3⤵
          PID:3348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 484
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3772
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:3900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3348-131-0x0000020451280000-0x0000020451281000-memory.dmp

      Filesize

      4KB

    • memory/3348-132-0x0000020451190000-0x00000204511B9000-memory.dmp

      Filesize

      164KB

    • memory/3876-115-0x0000000000400000-0x00000000009DC000-memory.dmp

      Filesize

      5.9MB

    • memory/3876-114-0x0000000002680000-0x0000000002713000-memory.dmp

      Filesize

      588KB

    • memory/4024-130-0x0000000000400000-0x00000000009CC000-memory.dmp

      Filesize

      5.8MB

    • memory/4024-129-0x0000000000B40000-0x0000000000BC8000-memory.dmp

      Filesize

      544KB