darkvnc | 5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
28-03-2022 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe
Size

575KB
MD5

1088a3707a9424caff2f89182715566a
SHA1

03c3a9f9fa10fa7579435303f84ea040485eeb14
SHA256

5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797
SHA512

754e253fd7d64a8304ab5041677ec5432c14ab00f1c1322ccf7770ffeb0b3127f62091184e77ed7852534a645454ab55263e7d598ea8c9651493650ad403aab4

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2608-131-0x0000000002A20000-0x0000000002AA9000-memory.dmp	darkvnc
behavioral2/memory/2608-139-0x0000000002AC0000-0x0000000002C00000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79
PID 2608 wrote to memory of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79
PID 2608 wrote to memory of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79
PID 2608 wrote to memory of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79
PID 2608 wrote to memory of 3416	2608	5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe	79

C:\Users\Admin\AppData\Local\Temp\5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe
"C:\Users\Admin\AppData\Local\Temp\5725f38e2426e2992bba27abb7c17e3618c77e3ab994b726e138280e2bd99797.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2608-130-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2608-131-0x0000000002A20000-0x0000000002AA9000-memory.dmp

Filesize
548KB

Download
memory/2608-135-0x00000000021D0000-0x0000000002243000-memory.dmp

Filesize
460KB

Download
memory/2608-136-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2608-137-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2608-138-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2608-139-0x0000000002AC0000-0x0000000002C00000-memory.dmp

Filesize
1.2MB

Download