darkvnc | a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35

General

Target

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Size

565KB
MD5

cb767cd30e2fc7e8e12c27b4e8a5d367
SHA1

f94c105aacfcccc356cad7b8fe631cb27b3e6c20
SHA256

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35
SHA512

9087f912a06e6ae980225d1e31b249300e1ae88dd8a6e66ccd5747770a3f9127ea63e7a9dbd0090cb581c67ad8911de575f8852fe8fac76f36c47529f8a8b4d2

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1936-135-0x0000000000450000-0x00000000004D9000-memory.dmp	darkvnc
behavioral2/memory/4296-142-0x00000192118F0000-0x00000192119B9000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

description	pid	process	target process
PID 1936 set thread context of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4940 1936 WerFault.exe a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid process

1936 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid process

1936 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	pid_target	process	target process
4940	1936	WerFault.exe	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	process
1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

pid	process
1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

description	pid	process	target process
PID 1936 wrote to memory of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1936 wrote to memory of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1936 wrote to memory of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1936 wrote to memory of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe
PID 1936 wrote to memory of 4296	1936	a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 464
  2⤵
  - Program crash
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1936 -ip 1936
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-130-0x0000000004930000-0x0000000004983000-memory.dmp

Filesize
332KB

Download
memory/1936-131-0x00000000049A0000-0x0000000004A13000-memory.dmp

Filesize
460KB

Download
memory/1936-132-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1936-133-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1936-135-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/1936-137-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1936-139-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1936-140-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/1936-141-0x0000000000400000-0x00000000047F9000-memory.dmp

Filesize
68.0MB

Download
memory/4296-138-0x0000019211870000-0x0000019211871000-memory.dmp

Filesize
4KB

Download
memory/4296-142-0x00000192118F0000-0x00000192119B9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads