darkcloud | 3db582b8add878e04aff568409b841041e707851251fea25b80016684bbf9905

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3374b5325284cd932aa78f365d0193392d8485.exe
Size

830KB
MD5

01b147dd3f43915a4ccea10670b7afc6
SHA1

6a3374b5325284cd932aa78f365d0193392d8485
SHA256

3db582b8add878e04aff568409b841041e707851251fea25b80016684bbf9905
SHA512

0781f47d8b6d1794c47b17f8e0c966be716ca07eb69da60743708749994ad0e751dd2553db4b92fd277513791aa1c59360f28fcc08e42be8d2b3899781f84bde
SSDEEP

12288:2YKAF7zXICDW2EisP+qB/K4CANbfsq4G9ASn8USBav1Bt:2Yzz/WOsmWKrQ94QAEnNBt

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 2 IoCs

pid	Process
2040	aotgyabpa.exe
2156	aotgyabpa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keonjagcsa = "C:\\Users\\Admin\\AppData\\Roaming\\wrtyw\\wskevr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aotgyabpa.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem"	aotgyabpa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2156	2040	aotgyabpa.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	aotgyabpa.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2040	aotgyabpa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	aotgyabpa.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2040	2148	6a3374b5325284cd932aa78f365d0193392d8485.exe	80
PID 2148 wrote to memory of 2040	2148	6a3374b5325284cd932aa78f365d0193392d8485.exe	80
PID 2148 wrote to memory of 2040	2148	6a3374b5325284cd932aa78f365d0193392d8485.exe	80
PID 2040 wrote to memory of 2156	2040	aotgyabpa.exe	82
PID 2040 wrote to memory of 2156	2040	aotgyabpa.exe	82
PID 2040 wrote to memory of 2156	2040	aotgyabpa.exe	82
PID 2040 wrote to memory of 2156	2040	aotgyabpa.exe	82

C:\Users\Admin\AppData\Local\Temp\6a3374b5325284cd932aa78f365d0193392d8485.exe
"C:\Users\Admin\AppData\Local\Temp\6a3374b5325284cd932aa78f365d0193392d8485.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe
  "C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe" C:\Users\Admin\AppData\Local\Temp\oakdnyk.u
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe
    "C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aotgyabpa.exe

Filesize
86KB

MD5
8bcb1d4040cf57de8ef9b8c952638856

SHA1
94c6dc4c73cb71f9fc260f0e0eb8c653cb8bc48c

SHA256
e163c31d803e39b9604e50128545d4000ad3849f66033668ffce448a27129155

SHA512
34a26bcc8cf4e53f50cf0731a9d11e5e02c8bf6199c17241ad9edf101cf6504ce43f4f7d02915296336157dbfda1172b9f6e9b840f735d0fbbe58eb54d5cbe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oakdnyk.u

Filesize
7KB

MD5
dd346c0eeb46e196e69ce8bcc7a0b497

SHA1
c68f8e5f4951e072f8839fb1ccb2e040fc955521

SHA256
358abb9f2681582ab51de8d9d0079f0a14e976306ede110abcfc146f60020b6b

SHA512
b529baa6ccbd1ec22ab5860bb623a5f0f717dc91c2f062b6f32e93ddef870ae6fd67e28086084d01e9915a64dab15bcb6b773a680f46e5f87b9e930630f4a3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vipplr.sor

Filesize
488KB

MD5
1d547b51e811f120296da95704d99777

SHA1
51e3d1b486705f990f2eb79e1571aa2c817888ba

SHA256
0f674a0573ff9c5f58280c9721918e721359045fbd580e64a9eb7b3788fc1c35

SHA512
04cee3be526aa32b8406bb2391f030b5cb19eb88778cae94b5c55799a1d41324f8e943fdcd05d95de576c44958403309d39f9f1daeaabe9667fa17f273744ea4

Download Submit
memory/2156-141-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2156-142-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download