darkcloud | 47bfa1c709df60a24f4bf9a3466175654781d05ce1647e3dc9bc22e939435cc7

Analysis

max time kernel
127s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

odemePlani.exe
Size

803KB
MD5

ea93b0efdfc894e3ff86a5277ae5d36a
SHA1

c085e55b559c7bd52b5670f1834a6c230fa2c622
SHA256

47bfa1c709df60a24f4bf9a3466175654781d05ce1647e3dc9bc22e939435cc7
SHA512

9c57dfa9d2ac0ae52b724d650a48a1c84ec8728d067824d7f3047a7723c43d3299f7202f1ec815b8581a2e71ab30a33794a4eed5e3cbba84550a431895008cd8
SSDEEP

12288:8q1I2X7uNGareFRZVU32ZAd7ewnPvGk0QGCsefNQgEBtsLuflbK7A0Q:8qDX7MCFRY30A00ZCnBSLelbK7A0

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1364	1544	odemePlani.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1544	odemePlani.exe
1476	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	odemePlani.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	odemePlani.exe
Token: SeDebugPrivilege	1476	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	odemePlani.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1476	1544	odemePlani.exe	26
PID 1544 wrote to memory of 1476	1544	odemePlani.exe	26
PID 1544 wrote to memory of 1476	1544	odemePlani.exe	26
PID 1544 wrote to memory of 1476	1544	odemePlani.exe	26
PID 1544 wrote to memory of 700	1544	odemePlani.exe	28
PID 1544 wrote to memory of 700	1544	odemePlani.exe	28
PID 1544 wrote to memory of 700	1544	odemePlani.exe	28
PID 1544 wrote to memory of 700	1544	odemePlani.exe	28
PID 1544 wrote to memory of 984	1544	odemePlani.exe	30
PID 1544 wrote to memory of 984	1544	odemePlani.exe	30
PID 1544 wrote to memory of 984	1544	odemePlani.exe	30
PID 1544 wrote to memory of 984	1544	odemePlani.exe	30
PID 1544 wrote to memory of 708	1544	odemePlani.exe	31
PID 1544 wrote to memory of 708	1544	odemePlani.exe	31
PID 1544 wrote to memory of 708	1544	odemePlani.exe	31
PID 1544 wrote to memory of 708	1544	odemePlani.exe	31
PID 1544 wrote to memory of 1912	1544	odemePlani.exe	32
PID 1544 wrote to memory of 1912	1544	odemePlani.exe	32
PID 1544 wrote to memory of 1912	1544	odemePlani.exe	32
PID 1544 wrote to memory of 1912	1544	odemePlani.exe	32
PID 1544 wrote to memory of 1656	1544	odemePlani.exe	33
PID 1544 wrote to memory of 1656	1544	odemePlani.exe	33
PID 1544 wrote to memory of 1656	1544	odemePlani.exe	33
PID 1544 wrote to memory of 1656	1544	odemePlani.exe	33
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34
PID 1544 wrote to memory of 1364	1544	odemePlani.exe	34

C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
"C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UEdzzSxI.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UEdzzSxI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6CE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:700
- C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
  "C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
  2⤵
  PID:984
- C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
  "C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
  2⤵
  PID:708
- C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
  "C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
  2⤵
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
  "C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\odemePlani.exe
  "C:\Users\Admin\AppData\Local\Temp\odemePlani.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF6CE.tmp

Filesize
1KB

MD5
df107347a66af58aa4c94896773193dc

SHA1
c52df29a3c306b924d77bcf609af88aadc49ac51

SHA256
c1d7a60745fc766b439a71dd0c298b20f743f309c5f4e30de0fa53999915d0d7

SHA512
7ad64dd07a42a6b3baabda223358fb7b6daae63eca4713cb3db3251f2c6e1d3e534191dc4aabcd010868254b8081e9b8531455152248dd9adad28d5f60f50a5d

Download Submit
memory/700-60-0x0000000000000000-mapping.dmp

Download
memory/1364-77-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-70-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-73-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-64-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-71-0x00000000004030D0-mapping.dmp

Download
memory/1476-76-0x000000006E970000-0x000000006EF1B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-59-0x0000000000000000-mapping.dmp

Download
memory/1476-78-0x000000006E970000-0x000000006EF1B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-58-0x0000000007F00000-0x0000000007FA6000-memory.dmp

Filesize
664KB

Download
memory/1544-63-0x0000000007FB0000-0x0000000008020000-memory.dmp

Filesize
448KB

Download
memory/1544-54-0x00000000001E0000-0x00000000002B0000-memory.dmp

Filesize
832KB

Download
memory/1544-57-0x0000000001D90000-0x0000000001D9E000-memory.dmp

Filesize
56KB

Download
memory/1544-56-0x0000000001D70000-0x0000000001D86000-memory.dmp

Filesize
88KB

Download
memory/1544-55-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download