Analysis

  • max time kernel
    1701s
  • max time network
    1152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 08:20

General

  • Target

    nVNC/nvnc.exe

  • Size

    3.5MB

  • MD5

    97c7721005493d49de6c7e71fd29fb0c

  • SHA1

    018d216371afa49370531c003b7196f042fb1bad

  • SHA256

    001bbc6b9f01b1f5996eaf2e725ce8d367dc398f90e065848816758b1a2d1256

  • SHA512

    335ce1d14621c2df023f87f80b08647bd153a5fd60c9d6bfcb47c40763128963659605dade9a9b9bfb93f74635b95ed3f529f8c7d8bee5f8a90df18fba6b304f

  • SSDEEP

    98304:jQl+wlWly+maKZpZGvzydeH9JGPC7o0DtwlLxtPP7+1ug:jQlVxfPqzgMS4o0527Ng

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe
    "C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe
      "C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c CLS
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ctypes.pyd

    Filesize

    72KB

    MD5

    f9982f8b1176597b81ed1285d1616ce7

    SHA1

    7cf74cce8b20adeeff83e29eacc028bdf2d7c18a

    SHA256

    d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239

    SHA512

    cd3339dc69ff918d3e4db2ae219ff7df58f18a151f088fa051b4cdf48e4cfd6569a9ca9e414708818004de7d0cb3cea64fa2ee4c0a1f6b832d86229446e22153

  • C:\Users\Admin\AppData\Local\Temp\_MEI35642\_socket.pyd

    Filesize

    40KB

    MD5

    07789a8c23bcebe32f8bfd4ce4af5ffb

    SHA1

    132d7ad9d2a7c3ff51b246fd14f0a4f738d68e10

    SHA256

    235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144

    SHA512

    d461d8313c285e568ce44c08d1af7c54aafae0d1e8235109d5d71f6baffe8f677ae3202590cf33ab34625ac87285c7dc4c1df2e2181acd4b998309d23e12fd3e

  • C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ssl.pyd

    Filesize

    705KB

    MD5

    12fb0bcc8b79ecadd52ba8d97e08bfed

    SHA1

    b52b26e16841d3b03f36792df7ed1825aa95ee54

    SHA256

    360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a

    SHA512

    3a6e78965cf58bb94efe1802f5fd39b2820935c277fb8773ecc3b4a0608fc444ace952a619dead204476981c78c38992867172bc0584cae01306ef226e5fce21

  • C:\Users\Admin\AppData\Local\Temp\_MEI35642\nvnc.exe.manifest

    Filesize

    471B

    MD5

    95b60b99fa7a60b3d17e5a792be83fdd

    SHA1

    672eb0187a961b11c87d5ce82c45a03ba3496b63

    SHA256

    09c7f09d9e15b33ff5e58d6dcf7f31aaf16426fc104377e91e03cff0f1bb941c

    SHA512

    18559064b7f20385a93ac66a2f8c90280aa39767083458dd18fe886f4707c2f3fceb32eb087a3fc703746b0475a9d232195874f75e4059ff7d607a4e893a1c86

  • C:\Users\Admin\AppData\Local\Temp\_MEI35642\python27.dll

    Filesize

    2.2MB

    MD5

    7584228b7aa01d99944df388ba62a197

    SHA1

    9e3d84241053d0ff82d83104fe9f73b9f02a3b3e

    SHA256

    75e9a929d9f0f4ee2c5164c5829bebc05ea9aca0b664b41bb8e7ff53fbb1bb8e

    SHA512

    217bbd7cf8a27a18c15856e6506f0bbc51b9d22e55ec15339aa53e81e966d65c8af445c55d79f1ff0cf1757e0c3a3da5de9818f00be8bf14f708ff1c5db88165

  • memory/400-19-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

    Filesize

    48KB