darkvnc | d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 06:27

Target

64b4db1046496c57a0779befc72c264d.exe
Size

448KB
MD5

64b4db1046496c57a0779befc72c264d
SHA1

71cfbee47a5b6f0bb18bba914b5896b3037cfeab
SHA256

d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a
SHA512

d59bf100032299d10e6737d9489202545ce4cf3b403407da0ba0fbbd0f72b502478ce3557008ad785e146041a100e2e48ba1d9414a983d954cea7437c424f3da
SSDEEP

12288:4NO4tKQaWEkJsUy2H5ZhLvWmyN/En9C5:MtKQaTkJs0LemI49

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/2916-3-0x00000000002A0000-0x0000000000328000-memory.dmp	darkvnc
behavioral1/memory/2916-4-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/2684-6-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc
behavioral1/memory/2684-11-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc
behavioral1/memory/2684-12-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc
behavioral1/memory/2684-13-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc
behavioral1/memory/2684-14-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc
behavioral1/memory/2916-15-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/2684-16-0x0000000001D00000-0x0000000001DCA000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2916	64b4db1046496c57a0779befc72c264d.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28
PID 2916 wrote to memory of 2684	2916	64b4db1046496c57a0779befc72c264d.exe	28

C:\Users\Admin\AppData\Local\Temp\64b4db1046496c57a0779befc72c264d.exe
"C:\Users\Admin\AppData\Local\Temp\64b4db1046496c57a0779befc72c264d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:2684

memory/2684-6-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2684-5-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2684-8-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2684-11-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2684-12-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2684-13-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2684-14-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2684-16-0x0000000001D00000-0x0000000001DCA000-memory.dmp

Filesize
808KB

Download
memory/2916-1-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/2916-3-0x00000000002A0000-0x0000000000328000-memory.dmp

Filesize
544KB

Download
memory/2916-4-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/2916-15-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download