darkcloud | 322eb06a1c789fa91c8e5e9aaaae961552669ae055606e7b8be8cc31dcf0dce7

General

Target

STATEMENT OF DUE.exe
Size

479KB
MD5

f887d56a8c442677fa724d3faf86aafe
SHA1

f87552c2cb912299fce50b1f5e3a09dacfdb1f79
SHA256

322eb06a1c789fa91c8e5e9aaaae961552669ae055606e7b8be8cc31dcf0dce7
SHA512

c18e0183f7d3725dfccc9c45818e4e36dd657d3bae9144298d7c05eec22d819410c264864ced9f608afb12f4ff20f5b053e36cf6a320d2f779e2679826e163c0
SSDEEP

12288:RYWJFILPzIfF78f/EHBE6Zop+vq5BTRDchmjVdc:RYW43I978EHB9IBTRc

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 2 IoCs

pid	Process
952	lrcprhadjb.exe
748	lrcprhadjb.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	STATEMENT OF DUE.exe
952	lrcprhadjb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\kswu = "C:\\Users\\Admin\\AppData\\Roaming\\mwwhvgmcuk\\fsnivb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lrcprhadjb.exe\" C:\\Users\\Admin\\AppData\\Loc"	lrcprhadjb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 748	952	lrcprhadjb.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
748	lrcprhadjb.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
952	lrcprhadjb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	lrcprhadjb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 952	2024	STATEMENT OF DUE.exe	28
PID 2024 wrote to memory of 952	2024	STATEMENT OF DUE.exe	28
PID 2024 wrote to memory of 952	2024	STATEMENT OF DUE.exe	28
PID 2024 wrote to memory of 952	2024	STATEMENT OF DUE.exe	28
PID 952 wrote to memory of 748	952	lrcprhadjb.exe	30
PID 952 wrote to memory of 748	952	lrcprhadjb.exe	30
PID 952 wrote to memory of 748	952	lrcprhadjb.exe	30
PID 952 wrote to memory of 748	952	lrcprhadjb.exe	30
PID 952 wrote to memory of 748	952	lrcprhadjb.exe	30

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF DUE.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF DUE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe
  "C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe" C:\Users\Admin\AppData\Local\Temp\pubpld.pdm
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe
    "C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfdfzvp.nuf

Filesize
488KB

MD5
e97a4aed3ff2f402aa6ccb11033ab677

SHA1
ce38b1b50a0df62d661dafdc80e471042210b6d5

SHA256
389394f70453eb013526ff29a4e1eafcfc2fa9ef7f63218a6a81653efb634b9d

SHA512
03aae58755d5399382968ad56a2b18c5f8e74911bc6cf16d4cf0c38a92ee6e861d5eeb11475de4dcc9c0ef1153ab951a139eac2a6ceba663a4bfa82e9e142991

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe

Filesize
91KB

MD5
903b145ec9a8464a3727a08a58e25330

SHA1
9085599c02657d52123fe0635ffe9ef303b01339

SHA256
dc5221657dfb6a7ff6e086114851ae1b161876555c76638c12ea2da6814b6c92

SHA512
fcfafddd199802dbcf5d4bb235898326de5a0fbfd1dae5386abd22cf8ac07848085b1e765ee43800a046e212f2f48685a608b0d316c6c4bd59a8f252aa5419bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe

Filesize
91KB

MD5
903b145ec9a8464a3727a08a58e25330

SHA1
9085599c02657d52123fe0635ffe9ef303b01339

SHA256
dc5221657dfb6a7ff6e086114851ae1b161876555c76638c12ea2da6814b6c92

SHA512
fcfafddd199802dbcf5d4bb235898326de5a0fbfd1dae5386abd22cf8ac07848085b1e765ee43800a046e212f2f48685a608b0d316c6c4bd59a8f252aa5419bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe

Filesize
91KB

MD5
903b145ec9a8464a3727a08a58e25330

SHA1
9085599c02657d52123fe0635ffe9ef303b01339

SHA256
dc5221657dfb6a7ff6e086114851ae1b161876555c76638c12ea2da6814b6c92

SHA512
fcfafddd199802dbcf5d4bb235898326de5a0fbfd1dae5386abd22cf8ac07848085b1e765ee43800a046e212f2f48685a608b0d316c6c4bd59a8f252aa5419bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pubpld.pdm

Filesize
7KB

MD5
9de92bd9728ed0b01663b2fce5d39559

SHA1
02e44c240fc37f55ffd40bedd917ced9ded4f691

SHA256
a52e9824a17b5746c5fcd0c231fd106baf7f7ac96178331a7fcf5a46eeb17747

SHA512
7b1b0d0863810800fe81fa3ea60dbe01815f44efc288a04efb6227a4cd7533b04994c183a3e31f7056773624b76de449bfc7ebbe5437e3de06fe5658dd8c7562

Download Submit
\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe

Filesize
91KB

MD5
903b145ec9a8464a3727a08a58e25330

SHA1
9085599c02657d52123fe0635ffe9ef303b01339

SHA256
dc5221657dfb6a7ff6e086114851ae1b161876555c76638c12ea2da6814b6c92

SHA512
fcfafddd199802dbcf5d4bb235898326de5a0fbfd1dae5386abd22cf8ac07848085b1e765ee43800a046e212f2f48685a608b0d316c6c4bd59a8f252aa5419bc

Download Submit
\Users\Admin\AppData\Local\Temp\lrcprhadjb.exe

Filesize
91KB

MD5
903b145ec9a8464a3727a08a58e25330

SHA1
9085599c02657d52123fe0635ffe9ef303b01339

SHA256
dc5221657dfb6a7ff6e086114851ae1b161876555c76638c12ea2da6814b6c92

SHA512
fcfafddd199802dbcf5d4bb235898326de5a0fbfd1dae5386abd22cf8ac07848085b1e765ee43800a046e212f2f48685a608b0d316c6c4bd59a8f252aa5419bc

Download Submit
memory/748-67-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/748-68-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2024-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing