Analysis Overview
SHA256
28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff
Threat Level: Known bad
The file 28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:36
Reported
2023-01-29 19:39
Platform
win7-20221111-en
Max time kernel
54s
Max time network
33s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1736 set thread context of 668 | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe |
| PID 668 set thread context of 1016 | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | C:\Windows\system32\WerFault.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe"
C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"{path}"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
Network
Files
memory/1736-54-0x0000000000970000-0x0000000000A4C000-memory.dmp
memory/1736-55-0x0000000075F01000-0x0000000075F03000-memory.dmp
memory/1736-56-0x0000000000410000-0x0000000000422000-memory.dmp
memory/1736-57-0x0000000005080000-0x0000000005146000-memory.dmp
memory/668-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-58-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-61-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-65-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-66-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-68-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-69-0x0000000000401000-mapping.dmp
memory/668-71-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-73-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-74-0x0000000000400000-0x0000000000478000-memory.dmp
memory/668-75-0x0000000000401000-0x000000000044A000-memory.dmp
memory/668-76-0x0000000010000000-0x0000000010089000-memory.dmp
memory/1016-79-0x0000000000000000-mapping.dmp
memory/668-80-0x0000000000400000-0x000000000044D000-memory.dmp
memory/668-81-0x0000000002700000-0x0000000002840000-memory.dmp
memory/668-82-0x0000000000401000-0x000000000044A000-memory.dmp
memory/1016-83-0x0000000001B40000-0x0000000001C09000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:36
Reported
2023-01-29 19:39
Platform
win10v2004-20220901-en
Max time kernel
130s
Max time network
148s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5052 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe |
| PID 4640 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | C:\Windows\system32\WerFault.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe"
C:\Users\Admin\AppData\Local\Temp\28537d41a0ef3e2bb3ba3419804d6f13070415190de476aaadca000b6af2fdff.exe
"{path}"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 160.20.147.195:91 | tcp | |
| N/A | 160.20.147.195:91 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 160.20.147.195:91 | tcp | |
| N/A | 160.20.147.195:91 | tcp | |
| N/A | 160.20.147.195:91 | tcp | |
| N/A | 160.20.147.195:91 | tcp |
Files
memory/5052-132-0x0000000000D20000-0x0000000000DFC000-memory.dmp
memory/5052-133-0x0000000005ED0000-0x0000000006474000-memory.dmp
memory/5052-134-0x00000000057F0000-0x0000000005882000-memory.dmp
memory/5052-135-0x00000000057B0000-0x00000000057BA000-memory.dmp
memory/5052-136-0x0000000008FF0000-0x000000000908C000-memory.dmp
memory/4640-137-0x0000000000000000-mapping.dmp
memory/4640-138-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4640-140-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4640-141-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4640-142-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4640-143-0x0000000002A00000-0x0000000002A89000-memory.dmp
memory/2604-146-0x0000000000000000-mapping.dmp
memory/4640-147-0x0000000000401000-0x000000000044A000-memory.dmp
memory/4640-148-0x0000000000400000-0x000000000044D000-memory.dmp
memory/4640-149-0x00000000031C0000-0x0000000003300000-memory.dmp
memory/2604-150-0x00000294EC8D0000-0x00000294EC999000-memory.dmp
memory/2604-151-0x00000294EC8D0000-0x00000294EC999000-memory.dmp