darkcloud | 3db582b8add878e04aff568409b841041e707851251fea25b80016684bbf9905

General

Target

6a3374b5325284cd932aa78f365d0193392d8485.exe
Size

830KB
MD5

01b147dd3f43915a4ccea10670b7afc6
SHA1

6a3374b5325284cd932aa78f365d0193392d8485
SHA256

3db582b8add878e04aff568409b841041e707851251fea25b80016684bbf9905
SHA512

0781f47d8b6d1794c47b17f8e0c966be716ca07eb69da60743708749994ad0e751dd2553db4b92fd277513791aa1c59360f28fcc08e42be8d2b3899781f84bde
SSDEEP

12288:2YKAF7zXICDW2EisP+qB/K4CANbfsq4G9ASn8USBav1Bt:2Yzz/WOsmWKrQ94QAEnNBt

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
info@krioncomputer.com
email_to
info@krioncomputer.com

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 2 IoCs

pid	Process
1480	aotgyabpa.exe
1344	aotgyabpa.exe

Loads dropped DLL 3 IoCs

pid	Process
576	6a3374b5325284cd932aa78f365d0193392d8485.exe
576	6a3374b5325284cd932aa78f365d0193392d8485.exe
1480	aotgyabpa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\keonjagcsa = "C:\\Users\\Admin\\AppData\\Roaming\\wrtyw\\wskevr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aotgyabpa.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem"	aotgyabpa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 1344	1480	aotgyabpa.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	aotgyabpa.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1480	aotgyabpa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	aotgyabpa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1480	576	6a3374b5325284cd932aa78f365d0193392d8485.exe	28
PID 576 wrote to memory of 1480	576	6a3374b5325284cd932aa78f365d0193392d8485.exe	28
PID 576 wrote to memory of 1480	576	6a3374b5325284cd932aa78f365d0193392d8485.exe	28
PID 576 wrote to memory of 1480	576	6a3374b5325284cd932aa78f365d0193392d8485.exe	28
PID 1480 wrote to memory of 1344	1480	aotgyabpa.exe	30
PID 1480 wrote to memory of 1344	1480	aotgyabpa.exe	30
PID 1480 wrote to memory of 1344	1480	aotgyabpa.exe	30
PID 1480 wrote to memory of 1344	1480	aotgyabpa.exe	30
PID 1480 wrote to memory of 1344	1480	aotgyabpa.exe	30

C:\Users\Admin\AppData\Local\Temp\6a3374b5325284cd932aa78f365d0193392d8485.exe
"C:\Users\Admin\AppData\Local\Temp\6a3374b5325284cd932aa78f365d0193392d8485.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe
  "C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe" C:\Users\Admin\AppData\Local\Temp\oakdnyk.u
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe
    "C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oakdnyk.u

Filesize
7KB

MD5
dd346c0eeb46e196e69ce8bcc7a0b497

SHA1
c68f8e5f4951e072f8839fb1ccb2e040fc955521

SHA256
358abb9f2681582ab51de8d9d0079f0a14e976306ede110abcfc146f60020b6b

SHA512
b529baa6ccbd1ec22ab5860bb623a5f0f717dc91c2f062b6f32e93ddef870ae6fd67e28086084d01e9915a64dab15bcb6b773a680f46e5f87b9e930630f4a3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vipplr.sor

Filesize
488KB

MD5
1d547b51e811f120296da95704d99777

SHA1
51e3d1b486705f990f2eb79e1571aa2c817888ba

SHA256
0f674a0573ff9c5f58280c9721918e721359045fbd580e64a9eb7b3788fc1c35

SHA512
04cee3be526aa32b8406bb2391f030b5cb19eb88778cae94b5c55799a1d41324f8e943fdcd05d95de576c44958403309d39f9f1daeaabe9667fa17f273744ea4

Download Submit
\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
memory/576-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1344-68-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1344-69-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing