Malware Analysis Report

2024-09-22 16:46

Sample ID 230630-xd5lxsfd2v
Target SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
Tags
darkvnc rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1

Threat Level: Known bad

The file SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe was found to be: Known bad.

Malicious Activity Summary

darkvnc rat

DarkVNC

DarkVNC payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-30 18:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 18:45

Reported

2023-06-30 18:47

Platform

win7-20230621-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1484 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1232 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
RU 5.42.66.3:80 tcp
RU 5.42.66.3:80 5.42.66.3 tcp

Files

memory/1484-54-0x0000000000810000-0x0000000001454000-memory.dmp

memory/1484-55-0x0000000005800000-0x0000000005840000-memory.dmp

memory/1484-56-0x0000000006690000-0x000000000676E000-memory.dmp

memory/1484-57-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-58-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-60-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-62-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-64-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-70-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-68-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-66-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-72-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-74-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-76-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-78-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-82-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-80-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-88-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-86-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-84-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-90-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-92-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-94-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-98-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-96-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-100-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-102-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-106-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-104-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-108-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-110-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-112-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-114-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-116-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-118-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-120-0x0000000006690000-0x0000000006768000-memory.dmp

memory/1484-979-0x0000000005940000-0x00000000059A8000-memory.dmp

memory/1484-980-0x0000000004E60000-0x0000000004EAC000-memory.dmp

memory/1484-981-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1232-992-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1232-1000-0x0000000000400000-0x0000000000488000-memory.dmp

memory/280-1001-0x0000000000020000-0x0000000000021000-memory.dmp

memory/280-1002-0x0000000000480000-0x0000000000549000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 18:45

Reported

2023-06-30 18:47

Platform

win10v2004-20230621-en

Max time kernel

98s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 4664 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
PID 1572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe
PID 1572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.66.3:80 5.42.66.3 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 3.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 13.89.179.8:443 tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
US 8.8.8.8:53 134.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 173.234.155.20:443 tcp
US 173.234.155.20:443 tcp
US 8.8.8.8:53 20.155.234.173.in-addr.arpa udp
US 93.184.221.240:80 tcp

Files

memory/4664-133-0x0000000000E70000-0x0000000001AB4000-memory.dmp

memory/4664-134-0x0000000006490000-0x00000000064A0000-memory.dmp

memory/4664-135-0x0000000006490000-0x00000000064A0000-memory.dmp

memory/4664-136-0x0000000007BF0000-0x0000000008194000-memory.dmp

memory/4664-137-0x00000000076F0000-0x0000000007782000-memory.dmp

memory/4664-138-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-139-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-141-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-143-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-145-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-147-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-149-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-151-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-153-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-155-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-157-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-159-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-161-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-163-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-165-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-167-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-169-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-171-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-173-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-175-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-177-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-179-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-181-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-183-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-185-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-187-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-189-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-191-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-195-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-193-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-197-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-199-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-201-0x0000000007560000-0x0000000007638000-memory.dmp

memory/4664-1060-0x0000000006C00000-0x0000000006C01000-memory.dmp

memory/1572-1075-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2692-1076-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/2692-1077-0x0000000000C30000-0x0000000000CF9000-memory.dmp