darkvnc | 28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff

General

Target

28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
Size

901KB
MD5

a6e9ff0cd09cbe50096fdf30aed057aa
SHA1

678f76dab9b7e0f0ef1a0917b2fad5e10b16a23a
SHA256

28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff
SHA512

3ac902f1a0d0e13ad379dd8ed318fb29becd77068b6dc268ec699696bd843f8fbe34e41fd0b770e373d1f0478c8850f49bf3f9f56efa84e0fc9df1fc0294a78f
SSDEEP

24576:wh7qXY/21x+kdEvWft7Wsfogur37HuXIqQ:wtp21QkdE+Zbf4+XIqQ

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4640-143-0x0000000002A00000-0x0000000002A89000-memory.dmp	darkvnc
behavioral2/memory/4640-149-0x00000000031C0000-0x0000000003300000-memory.dmp	darkvnc
behavioral2/memory/2604-150-0x00000294EC8D0000-0x00000294EC999000-memory.dmp	darkvnc
behavioral2/memory/2604-151-0x00000294EC8D0000-0x00000294EC999000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 4640 set thread context of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 5052 wrote to memory of 4640	5052	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	89
PID 4640 wrote to memory of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90
PID 4640 wrote to memory of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90
PID 4640 wrote to memory of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90
PID 4640 wrote to memory of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90
PID 4640 wrote to memory of 2604	4640	28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe	90

C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-151-0x00000294EC8D0000-0x00000294EC999000-memory.dmp

Filesize
804KB

Download
memory/2604-150-0x00000294EC8D0000-0x00000294EC999000-memory.dmp

Filesize
804KB

Download
memory/4640-147-0x0000000000401000-0x000000000044A000-memory.dmp

Filesize
292KB

Download
memory/4640-143-0x0000000002A00000-0x0000000002A89000-memory.dmp

Filesize
548KB

Download
memory/4640-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4640-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4640-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4640-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4640-149-0x00000000031C0000-0x0000000003300000-memory.dmp

Filesize
1.2MB

Download
memory/4640-148-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5052-132-0x0000000000D20000-0x0000000000DFC000-memory.dmp

Filesize
880KB

Download
memory/5052-135-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/5052-136-0x0000000008FF0000-0x000000000908C000-memory.dmp

Filesize
624KB

Download
memory/5052-134-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/5052-133-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing