Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-07-2021 10:42
Static task
static1
Behavioral task
behavioral1
Sample
8b7f63f120e527135f9bb9a3d7621120.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
8b7f63f120e527135f9bb9a3d7621120.exe
-
Size
408KB
-
MD5
8b7f63f120e527135f9bb9a3d7621120
-
SHA1
70c4b402faade6530f0f0e3a8ccc452f1c2773e7
-
SHA256
47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
-
SHA512
67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b
Malware Config
Signatures
-
DarkVNC Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-63-0x0000000000220000-0x00000000002A8000-memory.dmp darkvnc behavioral1/memory/1716-66-0x0000000001B00000-0x0000000001BCA000-memory.dmp darkvnc behavioral1/memory/1676-64-0x0000000000400000-0x00000000008D0000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8b7f63f120e527135f9bb9a3d7621120.exedescription pid process target process PID 1676 set thread context of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
8b7f63f120e527135f9bb9a3d7621120.exepid process 1676 8b7f63f120e527135f9bb9a3d7621120.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8b7f63f120e527135f9bb9a3d7621120.exedescription pid process target process PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe PID 1676 wrote to memory of 1716 1676 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe"C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵PID:1716
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1676-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1676-63-0x0000000000220000-0x00000000002A8000-memory.dmpFilesize
544KB
-
memory/1676-64-0x0000000000400000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/1716-61-0x0000000000000000-mapping.dmp
-
memory/1716-62-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/1716-65-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1716-66-0x0000000001B00000-0x0000000001BCA000-memory.dmpFilesize
808KB