darkcloud | 3aa2bf0cfa371eed74387aabf5fb54840747c3b79d5eeb632c8f8ed7a7932645

General

Target

SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
Size

1.0MB
MD5

263a424481c45e0340bd95f6f26570bb
SHA1

74fb7027fb40ff3fd18fdc2ad6c40c76fa9cb258
SHA256

3aa2bf0cfa371eed74387aabf5fb54840747c3b79d5eeb632c8f8ed7a7932645
SHA512

1e6c3cb5f6338fd3a8d7468827d1da9e6c733aae27673b737fd7d15632a0b3b6e0d3799d015aeb85990d7d404b6cbb206971eb5a78ecd4f68d5506243f2463ef
SSDEEP

12288:qcX8QJkULm8TZMXwZ96+PiOIQvRfWq/yAPMR8NTSE3UI72X+isjma3gKZ/nXt7vj:pSUrT/Z0+VRfl6/R8LEI7GW

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5637426169:AAH_P4-KucbNFzwchy84SCbxibLRynyCwuA/sendMessage?chat_id=5323697986

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
328	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
Token: SeDebugPrivilege	952	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
328	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 952	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	28
PID 1632 wrote to memory of 952	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	28
PID 1632 wrote to memory of 952	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	28
PID 1632 wrote to memory of 952	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	28
PID 1632 wrote to memory of 528	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	30
PID 1632 wrote to memory of 528	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	30
PID 1632 wrote to memory of 528	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	30
PID 1632 wrote to memory of 528	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	30
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32
PID 1632 wrote to memory of 328	1632	SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kXpmjJRxZYTok.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kXpmjJRxZYTok" /XML "C:\Users\Admin\AppData\Local\Temp\tmp875A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:528
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Crypt.8892.8543.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp875A.tmp

Filesize
1KB

MD5
97df77e74246f2d5f7e7aabff19f9b2a

SHA1
80a5684b73f90bd5c0b31004fd7bba1004d5f26d

SHA256
3cc9a3d79f5a505ac0eae28c3042b1c85c332478a3323f276d5a3a15ca38cec5

SHA512
2cda3f9c66e53e735a4572d381be3d08caffd9cf6f5ba4223c07cf21083f43a79f4d0585bcd14055567b5e08fb93453c1d06a1b810b41406bee8de228cd70e19

Download Submit
memory/328-68-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-79-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-77-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-74-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-66-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/328-71-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/952-63-0x000000006E5D0000-0x000000006EB7B000-memory.dmp

Filesize
5.7MB

Download
memory/952-78-0x000000006E5D0000-0x000000006EB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-58-0x00000000056E0000-0x000000000578C000-memory.dmp

Filesize
688KB

Download
memory/1632-64-0x0000000005790000-0x0000000005806000-memory.dmp

Filesize
472KB

Download
memory/1632-54-0x0000000000B50000-0x0000000000C58000-memory.dmp

Filesize
1.0MB

Download
memory/1632-57-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1632-56-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1632-55-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads