Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-03-2022 19:29
Behavioral task
behavioral1
Sample
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe
-
Size
575KB
-
MD5
1088a3707a9424caff2f89182715566a
-
SHA1
03c3a9f9fa10fa7579435303f84ea040485eeb14
-
SHA256
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797
-
SHA512
754e253fd7d64a8304ab5041677ec5432c14ab00f1c1322ccf7770ffeb0b3127f62091184e77ed7852534a645454ab55263e7d598ea8c9651493650ad403aab4
Malware Config
Signatures
-
DarkVNC Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2608-131-0x0000000002A20000-0x0000000002AA9000-memory.dmp darkvnc behavioral2/memory/2608-139-0x0000000002AC0000-0x0000000002C00000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exedescription pid process target process PID 2608 set thread context of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exepid process 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exepid process 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exedescription pid process target process PID 2608 wrote to memory of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe PID 2608 wrote to memory of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe PID 2608 wrote to memory of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe PID 2608 wrote to memory of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe PID 2608 wrote to memory of 3416 2608 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe"C:\Users\Admin\AppData\Local\Temp\5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2608-130-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2608-131-0x0000000002A20000-0x0000000002AA9000-memory.dmpFilesize
548KB
-
memory/2608-135-0x00000000021D0000-0x0000000002243000-memory.dmpFilesize
460KB
-
memory/2608-136-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2608-137-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2608-138-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2608-139-0x0000000002AC0000-0x0000000002C00000-memory.dmpFilesize
1.2MB
-
memory/3416-134-0x0000000000000000-mapping.dmp