darkvnc | a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35

General

Target

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Size

565KB
MD5

cb767cd30e2fc7e8e12c27b4e8a5d367
SHA1

f94c105aacfcccc356cad7b8fe631cb27b3e6c20
SHA256

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35
SHA512

9087f912a06e6ae980225d1e31b249300e1ae88dd8a6e66ccd5747770a3f9127ea63e7a9dbd0090cb581c67ad8911de575f8852fe8fac76f36c47529f8a8b4d2

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-58-0x0000000010000000-0x0000000010089000-memory.dmp	darkvnc
behavioral1/memory/708-66-0x00000000003A0000-0x0000000000469000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

description	pid	process	target process
PID 1800 set thread context of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid process

1800 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid process

1800 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid process

1800 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	process
1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	process
1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	process
1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

description	pid	process	target process
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1800 wrote to memory of 708	1800	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/708-62-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/708-66-0x00000000003A0000-0x0000000000469000-memory.dmp

Filesize
804KB

Download
memory/1800-54-0x0000000075081000-0x0000000075083000-memory.dmp

Filesize
8KB

Download
memory/1800-56-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1800-57-0x0000000004800000-0x0000000004873000-memory.dmp

Filesize
460KB

Download
memory/1800-55-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1800-58-0x0000000010000000-0x0000000010089000-memory.dmp

Filesize
548KB

Download
memory/1800-61-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1800-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1800-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1800-65-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads