Analysis Overview
SHA256
f4d6fa18bba78d69e878956143665a8f6b489ad5fb5b292507debdc5d3db7008
Threat Level: Known bad
The file SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-06-30 16:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 16:55
Reported
2023-06-30 16:57
Platform
win7-20230621-en
Max time kernel
70s
Max time network
30s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
Network
Files
memory/872-54-0x0000000000020000-0x0000000000D16000-memory.dmp
memory/872-55-0x0000000002BF0000-0x0000000002CE2000-memory.dmp
memory/872-56-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-59-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-57-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-61-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-63-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-65-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-67-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-71-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-69-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-73-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-75-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-78-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-77-0x0000000005550000-0x0000000005590000-memory.dmp
memory/872-82-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-80-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-84-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-86-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-88-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-90-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-92-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-94-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-98-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-100-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-96-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-106-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-104-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-102-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-108-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-110-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-112-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-116-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-118-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-114-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-120-0x0000000002BF0000-0x0000000002CDC000-memory.dmp
memory/872-1101-0x0000000002D40000-0x0000000002DAA000-memory.dmp
memory/872-1102-0x00000000054B0000-0x00000000054FC000-memory.dmp
memory/872-1103-0x00000000012C0000-0x00000000012C1000-memory.dmp
memory/872-1104-0x0000000005550000-0x0000000005590000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 16:55
Reported
2023-06-30 16:57
Platform
win10v2004-20230621-en
Max time kernel
87s
Max time network
117s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4532 set thread context of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe |
| PID 1860 set thread context of 4852 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 52.182.141.63:443 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 96.16.53.204:443 | www.bing.com | tcp |
| NL | 96.16.53.204:443 | www.bing.com | tcp |
| NL | 96.16.53.204:443 | www.bing.com | tcp |
| NL | 96.16.53.204:443 | www.bing.com | tcp |
| NL | 96.16.53.204:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 204.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 108.177.235.182:443 | tcp | |
| US | 108.177.235.182:443 | tcp | |
| US | 8.8.8.8:53 | 182.235.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
memory/4532-133-0x0000000000520000-0x0000000001216000-memory.dmp
memory/4532-134-0x0000000005D50000-0x0000000005D60000-memory.dmp
memory/4532-135-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-136-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-138-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-140-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-142-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-144-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-146-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-148-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-150-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-152-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-154-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-156-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-158-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-160-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-162-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-164-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-166-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-168-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-170-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-172-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-174-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-176-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-180-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-178-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-182-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-184-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-186-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-188-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-190-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-192-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-196-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-194-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-198-0x0000000005C40000-0x0000000005D2C000-memory.dmp
memory/4532-1130-0x0000000005D50000-0x0000000005D60000-memory.dmp
memory/4532-1180-0x0000000005D80000-0x0000000005D81000-memory.dmp
memory/4532-1181-0x0000000006870000-0x0000000006E14000-memory.dmp
memory/4852-1197-0x0000000000A70000-0x0000000000B39000-memory.dmp
memory/1860-1198-0x0000000000400000-0x0000000000488000-memory.dmp
memory/4852-1196-0x0000000000B40000-0x0000000000B41000-memory.dmp