569755a8bb7e175deec61ad5808030912464a774de8e422d358e25b9570f9c41

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VNC-5.2.1-Windows.exe
Size

12.2MB
MD5

550994fea844f18ec070e5523d0587ad
SHA1

e6ec99a10284e82f9269f56757ebe0b07228e20d
SHA256

569755a8bb7e175deec61ad5808030912464a774de8e422d358e25b9570f9c41
SHA512

bc9e0c9321d18d4374b00b292e9a871987137907b0a73776366aa6c032a3a3b33919bb7a30c28479c683076d8634665ad5cab7c267b5af0b272db59bb06393c8
SSDEEP

393216:zRGFFBVOAF+XLnpvOYLSibd+Xa0CISH84WY9lMVcf:Y2AF+BDhv0o3Hf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5060	VNC-5.2.1-Windows.tmp
1764	bootstrapinstallerhelper64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1764	bootstrapinstallerhelper64.exe
1764	bootstrapinstallerhelper64.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 5060	4632	VNC-5.2.1-Windows.exe	84
PID 4632 wrote to memory of 5060	4632	VNC-5.2.1-Windows.exe	84
PID 4632 wrote to memory of 5060	4632	VNC-5.2.1-Windows.exe	84
PID 5060 wrote to memory of 1764	5060	VNC-5.2.1-Windows.tmp	85
PID 5060 wrote to memory of 1764	5060	VNC-5.2.1-Windows.tmp	85

C:\Users\Admin\AppData\Local\Temp\VNC-5.2.1-Windows.exe
"C:\Users\Admin\AppData\Local\Temp\VNC-5.2.1-Windows.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\is-52E9K.tmp\VNC-5.2.1-Windows.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-52E9K.tmp\VNC-5.2.1-Windows.tmp" /SL5="$1A0022,12483670,54272,C:\Users\Admin\AppData\Local\Temp\VNC-5.2.1-Windows.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\is-CMARJ.tmp\bootstrapinstallerhelper64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CMARJ.tmp\bootstrapinstallerhelper64.exe" -checklicense
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-52E9K.tmp\VNC-5.2.1-Windows.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52E9K.tmp\VNC-5.2.1-Windows.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CMARJ.tmp\bootstrapinstallerhelper64.exe

Filesize
716KB

MD5
f8dbd60b2078969a6b4fd55ef1a0237e

SHA1
c67d3c9af3657fa1ef98df8281a2729609a1794d

SHA256
3d2cf377f96c1382781ab537deff931518828f48606f9eca780cdfb0246c4752

SHA512
b88ff4e4bcb243422f4a1d4ea3f2d37eb307da1b8e61ec2b232ef89dc9ec29817b4c713d5b750040309e852d82c37b942e8248fdd56cf819fb9d764f50c5ed24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CMARJ.tmp\bootstrapinstallerhelper64.exe

Filesize
716KB

MD5
f8dbd60b2078969a6b4fd55ef1a0237e

SHA1
c67d3c9af3657fa1ef98df8281a2729609a1794d

SHA256
3d2cf377f96c1382781ab537deff931518828f48606f9eca780cdfb0246c4752

SHA512
b88ff4e4bcb243422f4a1d4ea3f2d37eb307da1b8e61ec2b232ef89dc9ec29817b4c713d5b750040309e852d82c37b942e8248fdd56cf819fb9d764f50c5ed24

Download Submit
memory/4632-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4632-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5060-139-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5060-150-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5060-151-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download