Malware Analysis Report

2024-09-22 16:45

Sample ID 220319-h1z8dsdfe5
Target a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35
SHA256 a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35
Tags
upx darkvnc rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35

Threat Level: Known bad

The file a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35 was found to be: Known bad.

Malicious Activity Summary

upx darkvnc rat

DarkVNC

DarkVNC Payload

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-03-19 07:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-19 07:12

Reported

2022-03-19 07:33

Platform

win7-20220311-en

Max time kernel

4294212s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 708 N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe C:\Windows\system32\WerFault.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

Network

Country Destination Domain Proto
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp

Files

memory/1800-54-0x0000000075081000-0x0000000075083000-memory.dmp

memory/1800-56-0x0000000000220000-0x0000000000273000-memory.dmp

memory/1800-57-0x0000000004800000-0x0000000004873000-memory.dmp

memory/1800-55-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/1800-58-0x0000000010000000-0x0000000010089000-memory.dmp

memory/708-62-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1800-61-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/1800-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1800-64-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1800-65-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/708-66-0x00000000003A0000-0x0000000000469000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-19 07:12

Reported

2022-03-19 07:33

Platform

win10v2004-en-20220113

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 4296 N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe C:\Windows\system32\WerFault.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe

"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 464

Network

Country Destination Domain Proto
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp
DE 45.138.172.105:443 tcp

Files

memory/1936-130-0x0000000004930000-0x0000000004983000-memory.dmp

memory/1936-131-0x00000000049A0000-0x0000000004A13000-memory.dmp

memory/1936-132-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/1936-133-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/1936-135-0x0000000000450000-0x00000000004D9000-memory.dmp

memory/1936-137-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/4296-138-0x0000019211870000-0x0000019211871000-memory.dmp

memory/1936-139-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/1936-140-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/1936-141-0x0000000000400000-0x00000000047F9000-memory.dmp

memory/4296-142-0x00000192118F0000-0x00000192119B9000-memory.dmp