Analysis Overview
SHA256
a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35
Threat Level: Known bad
The file a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35 was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC Payload
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-19 07:12
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-19 07:12
Reported
2022-03-19 07:33
Platform
win7-20220311-en
Max time kernel
4294212s
Max time network
157s
Command Line
Signatures
DarkVNC
DarkVNC Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1800 set thread context of 708 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp |
Files
memory/1800-54-0x0000000075081000-0x0000000075083000-memory.dmp
memory/1800-56-0x0000000000220000-0x0000000000273000-memory.dmp
memory/1800-57-0x0000000004800000-0x0000000004873000-memory.dmp
memory/1800-55-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/1800-58-0x0000000010000000-0x0000000010089000-memory.dmp
memory/708-62-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1800-61-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/1800-63-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1800-64-0x0000000000400000-0x000000000044D000-memory.dmp
memory/1800-65-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/708-66-0x00000000003A0000-0x0000000000469000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-19 07:12
Reported
2022-03-19 07:33
Platform
win10v2004-en-20220113
Max time kernel
138s
Max time network
151s
Command Line
Signatures
DarkVNC
DarkVNC Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
| PID 1936 wrote to memory of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
| PID 1936 wrote to memory of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
| PID 1936 wrote to memory of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
| PID 1936 wrote to memory of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe
"C:\Users\Admin\AppData\Local\Temp\a8b945595d20c4157464b57a7bf665e8b8d3df060018ef06e87b4d03bbbffb35.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 464
Network
| Country | Destination | Domain | Proto |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp | |
| DE | 45.138.172.105:443 | tcp |
Files
memory/1936-130-0x0000000004930000-0x0000000004983000-memory.dmp
memory/1936-131-0x00000000049A0000-0x0000000004A13000-memory.dmp
memory/1936-132-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/1936-133-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/1936-135-0x0000000000450000-0x00000000004D9000-memory.dmp
memory/1936-137-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/4296-138-0x0000019211870000-0x0000019211871000-memory.dmp
memory/1936-139-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/1936-140-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/1936-141-0x0000000000400000-0x00000000047F9000-memory.dmp
memory/4296-142-0x00000192118F0000-0x00000192119B9000-memory.dmp