Analysis Overview
SHA256
a1c7a2331009bf0cac46f57a5446d3c969161c435c67ac4a1b98c0a4ce712787
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-30 18:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 18:46
Reported
2023-06-30 18:48
Platform
win7-20230621-en
Max time kernel
101s
Max time network
102s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe |
| PID 1084 set thread context of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
memory/2040-60-0x0000000000870000-0x00000000014B4000-memory.dmp
memory/2040-61-0x0000000005860000-0x00000000058A0000-memory.dmp
memory/2040-62-0x0000000005860000-0x00000000058A0000-memory.dmp
memory/2040-63-0x0000000006470000-0x000000000654E000-memory.dmp
memory/2040-64-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-65-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-67-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-69-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-71-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-73-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-75-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-77-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-79-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-81-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-83-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-85-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-87-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-89-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-91-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-93-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-95-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-97-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-99-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-101-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-103-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-105-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-107-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-109-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-111-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-113-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-115-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-117-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-119-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-121-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-123-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-125-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-127-0x0000000006470000-0x0000000006548000-memory.dmp
memory/2040-986-0x0000000000810000-0x0000000000811000-memory.dmp
memory/2040-987-0x00000000059A0000-0x0000000005A08000-memory.dmp
memory/2040-988-0x0000000004E80000-0x0000000004ECC000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
memory/1084-1001-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1740-1009-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1740-1010-0x00000000003A0000-0x0000000000469000-memory.dmp
memory/1084-1011-0x0000000000400000-0x0000000000488000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 18:46
Reported
2023-06-30 18:48
Platform
win10v2004-20230621-en
Max time kernel
85s
Max time network
142s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4108 set thread context of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe |
| PID 3892 set thread context of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.132.255.8.in-addr.arpa | udp |
| US | 173.234.155.20:443 | tcp | |
| US | 173.234.155.20:443 | tcp | |
| US | 8.8.8.8:53 | 20.155.234.173.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
memory/4108-138-0x0000000000AC0000-0x0000000001704000-memory.dmp
memory/4108-139-0x0000000006210000-0x0000000006220000-memory.dmp
memory/4108-140-0x00000000078E0000-0x0000000007E84000-memory.dmp
memory/4108-141-0x0000000006A70000-0x0000000006B02000-memory.dmp
memory/4108-142-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-143-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-145-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-147-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-149-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-151-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-153-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-155-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-157-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-159-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-161-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-163-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-165-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-167-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-169-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-171-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-173-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-175-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-177-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-179-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-181-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-183-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-185-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-187-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-189-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-191-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-193-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-195-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-197-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-199-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-201-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-203-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-205-0x0000000006870000-0x0000000006948000-memory.dmp
memory/4108-1064-0x0000000006A10000-0x0000000006A11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
| MD5 | 450d8900f699a7730d0219ab789fc7b2 |
| SHA1 | 713a63d0321c51b0c91347d407ece92d8800c0aa |
| SHA256 | 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1 |
| SHA512 | 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418 |
memory/3892-1071-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3892-1081-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3200-1082-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/3200-1083-0x0000000000300000-0x00000000003C9000-memory.dmp