darkvnc | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
Size

12.2MB
MD5

450d8900f699a7730d0219ab789fc7b2
SHA1

713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256

383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512

82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418
SSDEEP

196608:7zLA8rc2nh3bgz/KjFmRJKxwYfzBaHIGWtqfuNLPRt7WNGV/5BJOy9k0YNiE3lgq:3Lz5UTKuJKxk9WtUMXVVjYym0Yke

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1232-992-0x0000000000400000-0x0000000000488000-memory.dmp	darkvnc
behavioral1/memory/1232-1000-0x0000000000400000-0x0000000000488000-memory.dmp	darkvnc
behavioral1/memory/280-1002-0x0000000000480000-0x0000000000549000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.24734.17790.exeSecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

description	pid	process	target process
PID 1484 set thread context of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1232 set thread context of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

pid process

1232 SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

description pid process

Token: SeDebugPrivilege 1484 SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

pid	process
1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

description	pid	process
Token: SeDebugPrivilege	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.24734.17790.exeSecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

description	pid	process	target process
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232	1484	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe
PID 1232 wrote to memory of 280	1232	SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-1002-0x0000000000480000-0x0000000000549000-memory.dmp

Filesize
804KB

Download
memory/280-1001-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1232-992-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1232-1000-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1484-90-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-980-0x0000000004E60000-0x0000000004EAC000-memory.dmp

Filesize
304KB

Download
memory/1484-62-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-64-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-70-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-68-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-66-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-72-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-74-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-76-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-78-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-82-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-80-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-96-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-86-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-84-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-54-0x0000000000810000-0x0000000001454000-memory.dmp

Filesize
12.3MB

Download
memory/1484-92-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-56-0x0000000006690000-0x000000000676E000-memory.dmp

Filesize
888KB

Download
memory/1484-60-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-88-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-100-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-102-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-106-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-104-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-108-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-110-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-112-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-114-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-116-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-118-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-120-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-979-0x0000000005940000-0x00000000059A8000-memory.dmp

Filesize
416KB

Download
memory/1484-98-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-981-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1484-58-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-57-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-94-0x0000000006690000-0x0000000006768000-memory.dmp

Filesize
864KB

Download
memory/1484-55-0x0000000005800000-0x0000000005840000-memory.dmp

Filesize
256KB

Download