darkcloud | 1716487b103dc267d5d1d0ad0f83565c11e3a18b0fd840f7b16893a14716b299

General

Target

fbc4371a517670d9e0f3df4b423f1128c98538ab.exe
Size

829KB
MD5

9db0cb8ce863c77576b7fe8a65c4c200
SHA1

fbc4371a517670d9e0f3df4b423f1128c98538ab
SHA256

1716487b103dc267d5d1d0ad0f83565c11e3a18b0fd840f7b16893a14716b299
SHA512

99e72029cc0ead9587a009d79fde561ca651db2380265d06fbb5408e01d07939a11b812e81f2360e5593f12ba4fa499ee85ce7106a58001c679f6a4a9b931fe3
SSDEEP

12288:2Y7mobjGBDlFYlWxHE1DtDjZ6mmjgn9LmszAipCEKW/DiaC:2Y7HjGRlFYM9EttDjgPgnUHWLi3

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 2 IoCs

pid	Process
1648	caodqz.exe
1752	caodqz.exe

Loads dropped DLL 3 IoCs

pid	Process
1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe
1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe
1648	caodqz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lojtsiioase = "C:\\Users\\Admin\\AppData\\Roaming\\ggkgnfxwhhhj\\eagmgneumqoupf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\caodqz.exe\" C:\\Users\\Admin\\AppDa"	caodqz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 1752	1648	caodqz.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	caodqz.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1648	caodqz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	caodqz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1648	1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe	28
PID 1916 wrote to memory of 1648	1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe	28
PID 1916 wrote to memory of 1648	1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe	28
PID 1916 wrote to memory of 1648	1916	fbc4371a517670d9e0f3df4b423f1128c98538ab.exe	28
PID 1648 wrote to memory of 1752	1648	caodqz.exe	30
PID 1648 wrote to memory of 1752	1648	caodqz.exe	30
PID 1648 wrote to memory of 1752	1648	caodqz.exe	30
PID 1648 wrote to memory of 1752	1648	caodqz.exe	30
PID 1648 wrote to memory of 1752	1648	caodqz.exe	30

C:\Users\Admin\AppData\Local\Temp\fbc4371a517670d9e0f3df4b423f1128c98538ab.exe
"C:\Users\Admin\AppData\Local\Temp\fbc4371a517670d9e0f3df4b423f1128c98538ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\caodqz.exe
  "C:\Users\Admin\AppData\Local\Temp\caodqz.exe" C:\Users\Admin\AppData\Local\Temp\xjhmmycw.i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\caodqz.exe
    "C:\Users\Admin\AppData\Local\Temp\caodqz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxufwydw.hmf

Filesize
488KB

MD5
9cedbcfa66f05ca2e155e22af80bfa50

SHA1
eda9666829cf1013d52b8f7bd2b50ff01444a0c8

SHA256
2b52049dc8626d3d01af7c8ef035d6d19087a0b604e29a942e240a1b9814f8cf

SHA512
fad796e1b55b49ac13d1e0184f9b56f3a59f0e7455dade8b63d66f9f09690f1d6935bedd40fdeafa91314f42dadfc2123d7a74e37fb2a203552e95d1d5ada821

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjhmmycw.i

Filesize
7KB

MD5
4fbdf41a057b278be5fe9dadadbf8e57

SHA1
ec99ef641f1e077772b7260b27daeceb77a12d40

SHA256
95fd2f0048b1c37af5a6b429b651646e17070bdcb563b638a6bfb442b8485e55

SHA512
5de96b3b49e769818a566dbeb12ec0612b7e4e2b305e6ad9b3317d934588a15b20d0c2cd5df78c280a20fadad2a0230037cb62bfa3817a23970e8b237b037854

Download Submit
\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
\Users\Admin\AppData\Local\Temp\caodqz.exe

Filesize
86KB

MD5
f5524dc27933fc7851b6140bb484f76c

SHA1
39fe27bc77923cb7418cca5c2cabce331c9c9810

SHA256
1ee1aeda78194d6ecf791520c6e70259b985cfea2b1033e26cd0f293c08602a5

SHA512
cb36013b87677585c5114e914345edfef381522768d589039d577c15216519106998641709fa1e603c68160a7b263d6cf2f4c3d1d509ad1de5a375674e791d33

Download Submit
memory/1752-68-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1752-69-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing