Analysis Overview
SHA256
5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0
Threat Level: Known bad
The file SecuriteInfocomWin32Dropp.exe was found to be: Known bad.
Malicious Activity Summary
DarkVNC
DarkVNC payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-07-01 07:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-01 07:30
Reported
2023-07-01 07:32
Platform
win7-20230621-en
Max time kernel
111s
Max time network
115s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.66.3:80 | tcp | |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
Files
memory/1368-54-0x00000000001C0000-0x0000000000DDC000-memory.dmp
memory/1368-55-0x0000000004EA0000-0x0000000004EE0000-memory.dmp
memory/1368-56-0x0000000004EA0000-0x0000000004EE0000-memory.dmp
memory/1368-57-0x00000000064B0000-0x00000000065B4000-memory.dmp
memory/1368-58-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-59-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-61-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-63-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-65-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-67-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-69-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-71-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-73-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-75-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-77-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-79-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-81-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-83-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-85-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-87-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-89-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-91-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-93-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-95-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-97-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-99-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-101-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-103-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-105-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-107-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-109-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-111-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-113-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-115-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-117-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-119-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-121-0x00000000064B0000-0x00000000065AE000-memory.dmp
memory/1368-1380-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/1368-1381-0x0000000002C00000-0x0000000002C6A000-memory.dmp
memory/1368-1382-0x0000000005B50000-0x0000000005B9C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-01 07:30
Reported
2023-07-01 07:32
Platform
win10v2004-20230621-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
DarkVNC
DarkVNC payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3588 set thread context of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe |
| PID 1120 set thread context of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomWin32Dropp.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| RU | 5.42.66.3:80 | 5.42.66.3 | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 20.42.65.88:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 108.177.235.182:443 | tcp | |
| US | 108.177.235.182:443 | tcp | |
| US | 8.8.8.8:53 | 182.235.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
Files
memory/3588-133-0x0000000000430000-0x000000000104C000-memory.dmp
memory/3588-134-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/3588-135-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/3588-136-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-137-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-139-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-141-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-143-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-145-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-147-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-149-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-151-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-153-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-155-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-159-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-157-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-161-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-163-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-165-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-167-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-169-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-171-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-173-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-175-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-177-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-179-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-181-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-183-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-185-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-187-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-189-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-191-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-195-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-193-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-197-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-199-0x0000000006D80000-0x0000000006E7E000-memory.dmp
memory/3588-1458-0x00000000062C0000-0x00000000062C1000-memory.dmp
memory/3588-1459-0x0000000007620000-0x0000000007BC4000-memory.dmp
memory/1120-1465-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1120-1475-0x0000000000400000-0x0000000000488000-memory.dmp
memory/4908-1476-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/4908-1477-0x00000000000D0000-0x0000000000199000-memory.dmp