Analysis Overview
SHA256
5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0
Threat Level: Known bad
The file SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-06-30 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 19:47
Reported
2023-06-30 19:49
Platform
win7-20230621-en
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.66.3:80 | tcp | |
| RU | 5.42.66.3:80 | tcp | |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
Files
memory/1392-54-0x00000000000F0000-0x0000000000D0C000-memory.dmp
memory/1392-55-0x0000000001150000-0x0000000001190000-memory.dmp
memory/1392-56-0x0000000001150000-0x0000000001190000-memory.dmp
memory/1392-57-0x0000000006520000-0x0000000006624000-memory.dmp
memory/1392-58-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-59-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-61-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-63-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-67-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-65-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-69-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-71-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-73-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-75-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-77-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-79-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-81-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-83-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-85-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-89-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-87-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-91-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-95-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-93-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-99-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-97-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-103-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-101-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-105-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-107-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-111-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-109-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-113-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-115-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-117-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-119-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-121-0x0000000006520000-0x000000000661E000-memory.dmp
memory/1392-1380-0x0000000004D30000-0x0000000004D9A000-memory.dmp
memory/1392-1381-0x00000000058A0000-0x00000000058EC000-memory.dmp
memory/1392-1382-0x0000000002A80000-0x0000000002A81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 19:47
Reported
2023-06-30 19:49
Platform
win10v2004-20230621-en
Max time kernel
151s
Max time network
149s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5016 set thread context of 4168 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe |
| PID 4168 set thread context of 4108 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
| US | 8.8.8.8:53 | 3.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 20.189.173.15:443 | tcp | |
| US | 8.8.8.8:53 | 76.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 108.177.235.182:443 | tcp | |
| US | 108.177.235.182:443 | tcp | |
| US | 8.8.8.8:53 | 182.235.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.143.109.104.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| GB | 96.16.110.41:443 | tcp |
Files
memory/5016-133-0x00000000001C0000-0x0000000000DDC000-memory.dmp
memory/5016-134-0x0000000005770000-0x0000000005780000-memory.dmp
memory/5016-135-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-136-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-138-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-140-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-142-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-144-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-146-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-148-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-150-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-152-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-154-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-156-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-158-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-160-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-162-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-164-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-166-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-168-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-170-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-172-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-176-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-174-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-178-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-180-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-182-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-184-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-186-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-188-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-192-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-190-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-194-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-196-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-198-0x0000000006850000-0x000000000694E000-memory.dmp
memory/5016-1080-0x0000000005770000-0x0000000005780000-memory.dmp
memory/5016-1458-0x0000000006070000-0x0000000006071000-memory.dmp
memory/5016-1459-0x00000000074C0000-0x0000000007A64000-memory.dmp
memory/4168-1474-0x0000000000400000-0x0000000000488000-memory.dmp
memory/4108-1475-0x0000000000240000-0x0000000000241000-memory.dmp
memory/4108-1476-0x0000000000170000-0x0000000000239000-memory.dmp