Malware Analysis Report

2024-09-22 16:45

Sample ID 220427-kez2lshfa7
Target 0c62c142462ce9a7e22757946300b54e92c64f2c118418b48cfe9163d6e32596.dll
SHA256 dde200baa4efabc5a9d3b6444f9642e5bcde60cc6522f8eb90e38a40935e4291
Tags
rat darkvnc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dde200baa4efabc5a9d3b6444f9642e5bcde60cc6522f8eb90e38a40935e4291

Threat Level: Known bad

The file 0c62c142462ce9a7e22757946300b54e92c64f2c118418b48cfe9163d6e32596.dll was found to be: Known bad.

Malicious Activity Summary

rat darkvnc

DarkVNC Payload

Darkvnc family

Suspicious use of SetThreadContext

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-27 08:31

Signatures

DarkVNC Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Darkvnc family

darkvnc

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-27 08:31

Reported

2022-04-27 08:32

Platform

win10-20220414-en

Max time kernel

55s

Max time network

58s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c62c142462ce9a7e22757946300b54e92c64f2c118418b48cfe9163d6e32596.dll,#1

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 2144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\WerFault.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c62c142462ce9a7e22757946300b54e92c64f2c118418b48cfe9163d6e32596.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c62c142462ce9a7e22757946300b54e92c64f2c118418b48cfe9163d6e32596.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

Network

Country Destination Domain Proto
US 23.83.133.187:443 tcp
US 23.83.133.187:443 tcp
US 23.83.133.187:443 tcp
US 23.83.133.187:443 tcp
US 20.189.173.3:443 tcp

Files

memory/2116-117-0x0000000000000000-mapping.dmp

memory/2144-118-0x0000000000000000-mapping.dmp