darkvnc | 5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfocomWin32Dropp.exe
Size

12.1MB
MD5

0ef4e3af8936e03be74afa2395286301
SHA1

273dd0dde838b7878b2870c8a4e2f1fb0d91e6fd
SHA256

5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0
SHA512

6938a111a124bc82d8d0576dc7769170974575ba2c545c53424a7285e6da242dc39f722920adfba88c472ba88313b6e0d682183a6fdb15df1ba98f5cf723c79a
SSDEEP

393216:nzbN0o5te8ZBAVVrXcC73WQGb7wWHeigBlRaJFLQM:nzhFlBAVVrXcCybM3gLQ

Score

10^/10

darkvnc rat

Malware Config

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1120-1465-0x0000000000400000-0x0000000000488000-memory.dmp	darkvnc
behavioral2/memory/1120-1475-0x0000000000400000-0x0000000000488000-memory.dmp	darkvnc
behavioral2/memory/4908-1477-0x00000000000D0000-0x0000000000199000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 1120 set thread context of 4908	1120	SecuriteInfocomWin32Dropp.exe	94

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3588	SecuriteInfocomWin32Dropp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1120	SecuriteInfocomWin32Dropp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	SecuriteInfocomWin32Dropp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 3588 wrote to memory of 1120	3588	SecuriteInfocomWin32Dropp.exe	93
PID 1120 wrote to memory of 4908	1120	SecuriteInfocomWin32Dropp.exe	94
PID 1120 wrote to memory of 4908	1120	SecuriteInfocomWin32Dropp.exe	94
PID 1120 wrote to memory of 4908	1120	SecuriteInfocomWin32Dropp.exe	94
PID 1120 wrote to memory of 4908	1120	SecuriteInfocomWin32Dropp.exe	94
PID 1120 wrote to memory of 4908	1120	SecuriteInfocomWin32Dropp.exe	94

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:4908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-1465-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1120-1475-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3588-169-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-1458-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/3588-137-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-139-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-141-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-143-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-133-0x0000000000430000-0x000000000104C000-memory.dmp

Filesize
12.1MB

Download
memory/3588-147-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-149-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-151-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-153-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-155-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-159-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-157-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-161-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-163-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-165-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-173-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-145-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-136-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-167-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-175-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-177-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-179-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-181-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-183-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-185-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-187-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-189-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-191-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-195-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-193-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-197-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-199-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-171-0x0000000006D80000-0x0000000006E7E000-memory.dmp

Filesize
1016KB

Download
memory/3588-1459-0x0000000007620000-0x0000000007BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3588-135-0x0000000005C30000-0x0000000005C40000-memory.dmp

Filesize
64KB

Download
memory/3588-134-0x0000000005C30000-0x0000000005C40000-memory.dmp

Filesize
64KB

Download
memory/4908-1476-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/4908-1477-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download