Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d0b8663c370b76694a77d6ce5f3897c.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
2d0b8663c370b76694a77d6ce5f3897c.exe
-
Size
448KB
-
MD5
2d0b8663c370b76694a77d6ce5f3897c
-
SHA1
f803c6a204231bf80b8ee47912c43d597dbfda8f
-
SHA256
bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330
-
SHA512
837d15e30285cdc0b8935bb1f72d06e2c9cd96423dffd81586ed692d27a432496c9da8413c8f356a9be02cb53f9fddd967f724f17799169baf0465ddce49388d
-
SSDEEP
12288:6QcCNAX253YeA+2CzSIPi2eWW7IP8T9C57h:6QcCNfpi+vJBc9I
Malware Config
Signatures
-
DarkVNC payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmp darkvnc behavioral1/memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmp darkvnc behavioral1/memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmp darkvnc behavioral1/memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmp darkvnc behavioral1/memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmp darkvnc behavioral1/memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmp darkvnc behavioral1/memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2d0b8663c370b76694a77d6ce5f3897c.exedescription pid process target process PID 1380 set thread context of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2d0b8663c370b76694a77d6ce5f3897c.exepid process 1380 2d0b8663c370b76694a77d6ce5f3897c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2d0b8663c370b76694a77d6ce5f3897c.exedescription pid process target process PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe PID 1380 wrote to memory of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d0b8663c370b76694a77d6ce5f3897c.exe"C:\Users\Admin\AppData\Local\Temp\2d0b8663c370b76694a77d6ce5f3897c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmpFilesize
1024KB
-
memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmpFilesize
544KB
-
memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmpFilesize
40.6MB
-
memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmpFilesize
40.6MB
-
memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmpFilesize
544KB
-
memory/2320-4-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmpFilesize
4KB
-
memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmpFilesize
808KB
-
memory/2320-9-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmpFilesize
808KB
-
memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmpFilesize
808KB