Analysis
-
max time kernel
92s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 00:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3102a215865232a5bbca8b70f1aa4488.exe
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
General
-
Target
3102a215865232a5bbca8b70f1aa4488.exe
-
Size
4.1MB
-
MD5
3102a215865232a5bbca8b70f1aa4488
-
SHA1
b67be5b19264406c6964f5d49848b3bebb9fac72
-
SHA256
818ad5bddef3160906785f6cc788d06a66cec2de9f57a21a7562feb0c89334ae
-
SHA512
9a6dc4c1c107f9fc7527760485e1005cb4e59f0c932a9a6039ac99c93913a26cbb926da45b832554c322fb47dc5280948c3612df6fadf6ecc6c68f1f4b61ecd7
-
SSDEEP
24576:BLCTr7fStXHx+4e2O8vP817bBHiCIQEyLc0NShwvfbj0FoJJ5dhF2Qr3vLNHKKrS:BLCT/CXHxprYrSCHKoJJ5dhFNb0Ui7
Malware Config
Signatures
-
DarkVNC payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2200-2-0x0000000000400000-0x000000000048A000-memory.dmp darkvnc behavioral2/memory/2200-0-0x0000000000400000-0x000000000048A000-memory.dmp darkvnc behavioral2/memory/2200-4-0x0000000000400000-0x000000000048A000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3102a215865232a5bbca8b70f1aa4488.exedescription pid process target process PID 5056 set thread context of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 4056 2200 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3102a215865232a5bbca8b70f1aa4488.exe3102a215865232a5bbca8b70f1aa4488.exedescription pid process target process PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 5056 wrote to memory of 2200 5056 3102a215865232a5bbca8b70f1aa4488.exe 3102a215865232a5bbca8b70f1aa4488.exe PID 2200 wrote to memory of 1196 2200 3102a215865232a5bbca8b70f1aa4488.exe WerFault.exe PID 2200 wrote to memory of 1196 2200 3102a215865232a5bbca8b70f1aa4488.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3102a215865232a5bbca8b70f1aa4488.exe"C:\Users\Admin\AppData\Local\Temp\3102a215865232a5bbca8b70f1aa4488.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\3102a215865232a5bbca8b70f1aa4488.exe"C:\Users\Admin\AppData\Local\Temp\3102a215865232a5bbca8b70f1aa4488.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2200
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe1⤵PID:1196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2200 -ip 22001⤵PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 5081⤵
- Program crash
PID:4056