darkvnc | 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4 | Triage

Analysis

max time kernel
18s
max time network
128s
platform
windows10_x64
resource
win10v20210408
submitted
18-07-2021 10:42

Sharing

Report Analysis Logs

General

Target

8b7f63f120e527135f9bb9a3d7621120.exe
Size

408KB
MD5

8b7f63f120e527135f9bb9a3d7621120
SHA1

70c4b402faade6530f0f0e3a8ccc452f1c2773e7
SHA256

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
SHA512

67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2812 created 3716 2812 WerFault.exe 8b7f63f120e527135f9bb9a3d7621120.exe

DarkVNC Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3716-116-0x0000000000400000-0x00000000008D0000-memory.dmp	darkvnc
behavioral2/memory/3716-115-0x00000000024C0000-0x0000000002548000-memory.dmp	darkvnc
behavioral2/memory/2572-118-0x0000021B14940000-0x0000021B14A0A000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

8b7f63f120e527135f9bb9a3d7621120.exe

description pid process target process

PID 3716 set thread context of 2572 3716 8b7f63f120e527135f9bb9a3d7621120.exe WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2812 3716 WerFault.exe 8b7f63f120e527135f9bb9a3d7621120.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8b7f63f120e527135f9bb9a3d7621120.exe

pid process

3716 8b7f63f120e527135f9bb9a3d7621120.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2812 WerFault.exe
Token: SeBackupPrivilege 2812 WerFault.exe
Token: SeDebugPrivilege 2812 WerFault.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

8b7f63f120e527135f9bb9a3d7621120.exe

description	pid	process	target process
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	WerFault.exe
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	WerFault.exe
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	WerFault.exe
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	WerFault.exe
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe
"C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 488
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-114-0x0000000000000000-mapping.dmp

Download
memory/2572-117-0x0000021B145E0000-0x0000021B14609000-memory.dmp

Filesize
164KB

Download
memory/2572-118-0x0000021B14940000-0x0000021B14A0A000-memory.dmp

Filesize
808KB

Download
memory/3716-116-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download
memory/3716-115-0x00000000024C0000-0x0000000002548000-memory.dmp

Filesize
544KB

Download