darkvnc | cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88

General

Target

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe
Size

9.5MB
MD5

dcb0e76902f912328a7613df7221cfae
SHA1

1814a081ed127351f1cb6ad40e9003ab168508c4
SHA256

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88
SHA512

6367e5546d90ea39432f1a1d1a321206b4b5be31d79ca82f3deea95a94edd25f606e9cc878e5e9dc372efd0338c3f9f071bf5a0268dea667122688263dcf8fda

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2644-130-0x00000000025D0000-0x0000000002659000-memory.dmp	darkvnc
behavioral2/memory/2644-136-0x0000000002A00000-0x0000000002B40000-memory.dmp	darkvnc
behavioral2/memory/5088-138-0x000001ACFD390000-0x000001ACFD459000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

description	pid	process	target process
PID 2644 set thread context of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

pid process

2644 cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

pid process

2644 cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

pid	process
2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

pid	process
2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe

description	pid	process	target process
PID 2644 wrote to memory of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe
PID 2644 wrote to memory of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe
PID 2644 wrote to memory of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe
PID 2644 wrote to memory of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe
PID 2644 wrote to memory of 5088	2644	cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe
"C:\Users\Admin\AppData\Local\Temp\cf04fc9db51e68544ae38d93ef517e8fff5c8a4e14d0c1628e7b9bcbf8286e88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-130-0x00000000025D0000-0x0000000002659000-memory.dmp

Filesize
548KB

Download
memory/2644-134-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2644-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2644-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2644-136-0x0000000002A00000-0x0000000002B40000-memory.dmp

Filesize
1.2MB

Download
memory/5088-137-0x000001ACFD470000-0x000001ACFD471000-memory.dmp

Filesize
4KB

Download
memory/5088-138-0x000001ACFD390000-0x000001ACFD459000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads