Analysis Overview
SHA256
383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
Threat Level: Known bad
The file SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-06-30 18:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 18:45
Reported
2023-06-30 18:47
Platform
win7-20230621-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe |
| PID 1232 set thread context of 280 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.66.3:80 | tcp | |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
Files
memory/1484-54-0x0000000000810000-0x0000000001454000-memory.dmp
memory/1484-55-0x0000000005800000-0x0000000005840000-memory.dmp
memory/1484-56-0x0000000006690000-0x000000000676E000-memory.dmp
memory/1484-57-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-58-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-60-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-62-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-64-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-70-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-68-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-66-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-72-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-74-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-76-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-78-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-82-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-80-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-88-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-86-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-84-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-90-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-92-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-94-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-98-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-96-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-100-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-102-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-106-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-104-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-108-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-110-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-112-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-114-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-116-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-118-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-120-0x0000000006690000-0x0000000006768000-memory.dmp
memory/1484-979-0x0000000005940000-0x00000000059A8000-memory.dmp
memory/1484-980-0x0000000004E60000-0x0000000004EAC000-memory.dmp
memory/1484-981-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1232-992-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1232-1000-0x0000000000400000-0x0000000000488000-memory.dmp
memory/280-1001-0x0000000000020000-0x0000000000021000-memory.dmp
memory/280-1002-0x0000000000480000-0x0000000000549000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 18:45
Reported
2023-06-30 18:47
Platform
win10v2004-20230621-en
Max time kernel
98s
Max time network
130s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe |
| PID 1572 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24734.17790.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 13.89.179.8:443 | tcp | |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 173.234.155.20:443 | tcp | |
| US | 173.234.155.20:443 | tcp | |
| US | 8.8.8.8:53 | 20.155.234.173.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
memory/4664-133-0x0000000000E70000-0x0000000001AB4000-memory.dmp
memory/4664-134-0x0000000006490000-0x00000000064A0000-memory.dmp
memory/4664-135-0x0000000006490000-0x00000000064A0000-memory.dmp
memory/4664-136-0x0000000007BF0000-0x0000000008194000-memory.dmp
memory/4664-137-0x00000000076F0000-0x0000000007782000-memory.dmp
memory/4664-138-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-139-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-141-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-143-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-145-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-147-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-149-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-151-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-153-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-155-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-157-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-159-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-161-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-163-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-165-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-167-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-169-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-171-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-173-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-175-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-177-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-179-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-181-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-183-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-185-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-187-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-189-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-191-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-195-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-193-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-197-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-199-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-201-0x0000000007560000-0x0000000007638000-memory.dmp
memory/4664-1060-0x0000000006C00000-0x0000000006C01000-memory.dmp
memory/1572-1075-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2692-1076-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/2692-1077-0x0000000000C30000-0x0000000000CF9000-memory.dmp