darkcloud | c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.js
Size

933B
MD5

51d889441d1ae8fa7c2fcc3be3ba9b10
SHA1

159c9dc24095316da8abcef8aa44506c78307a31
SHA256

876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5
SHA512

3735bb4534cbee993fc691b999953d63eca62d30b675f7de8d7516698c4bf853aebcfe0b9f66b6b1a2a47d515e028c982066c21b03484e373455ba541e2a25e4

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

https://api.telegram.org/bot6111853930:AAG17B4Rp0N5JOuu_E6TDmywX961M_dYkrI/sendMessage?chat_id=5237953097

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	3620	wscript.exe
6	3620	wscript.exe
9	3620	wscript.exe
13	3620	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
636	chrome.exe
796	ucpmnyjlw.exe
1204	ucpmnyjlw.exe
5112	ucpmnyjlw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 5112	796	ucpmnyjlw.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
796	ucpmnyjlw.exe
796	ucpmnyjlw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5112	ucpmnyjlw.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 636	3620	wscript.exe	84
PID 3620 wrote to memory of 636	3620	wscript.exe	84
PID 3620 wrote to memory of 636	3620	wscript.exe	84
PID 636 wrote to memory of 796	636	chrome.exe	85
PID 636 wrote to memory of 796	636	chrome.exe	85
PID 636 wrote to memory of 796	636	chrome.exe	85
PID 796 wrote to memory of 1204	796	ucpmnyjlw.exe	86
PID 796 wrote to memory of 1204	796	ucpmnyjlw.exe	86
PID 796 wrote to memory of 1204	796	ucpmnyjlw.exe	86
PID 796 wrote to memory of 5112	796	ucpmnyjlw.exe	87
PID 796 wrote to memory of 5112	796	ucpmnyjlw.exe	87
PID 796 wrote to memory of 5112	796	ucpmnyjlw.exe	87
PID 796 wrote to memory of 5112	796	ucpmnyjlw.exe	87

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe
    "C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe" C:\Users\Admin\AppData\Local\Temp\ruhzlsh.ruo
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe
      "C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe"
      4⤵
      Executes dropped EXE
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe
      "C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ruhzlsh.ruo

Filesize
6KB

MD5
02c5ad29026db8797bd1244e974cb9b4

SHA1
3bf184523c64f8b97254bf424d13471097798b13

SHA256
e8ad0334f692decf0c197f34001a58d3be77e01c4798337c472b050d9a5bdf61

SHA512
d61dbfa916752d37fcb5fe7f74614f83b873d6d06b72f8d394f8e550a7b939fb292622b0b62d181971b87e70753a9dd05976991beed34f04aab2b76fb0472c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe

Filesize
58KB

MD5
983f0a85dd0f67a413e5313ccc7f1b61

SHA1
1f1039ae30078f498d779aa66145ffe3632d62ae

SHA256
92883dabbaf962d266fedc60db122cae7870e0d318dad53dc54afb2960b63bf3

SHA512
0ffa1822454853f4a92ee7338574d7ae650a13d5539e130986f753c3c5b622ce72f1623eeaf095ef2d907622aa46de229ed7a11d55a0560b17327fc57902d61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe

Filesize
58KB

MD5
983f0a85dd0f67a413e5313ccc7f1b61

SHA1
1f1039ae30078f498d779aa66145ffe3632d62ae

SHA256
92883dabbaf962d266fedc60db122cae7870e0d318dad53dc54afb2960b63bf3

SHA512
0ffa1822454853f4a92ee7338574d7ae650a13d5539e130986f753c3c5b622ce72f1623eeaf095ef2d907622aa46de229ed7a11d55a0560b17327fc57902d61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe

Filesize
58KB

MD5
983f0a85dd0f67a413e5313ccc7f1b61

SHA1
1f1039ae30078f498d779aa66145ffe3632d62ae

SHA256
92883dabbaf962d266fedc60db122cae7870e0d318dad53dc54afb2960b63bf3

SHA512
0ffa1822454853f4a92ee7338574d7ae650a13d5539e130986f753c3c5b622ce72f1623eeaf095ef2d907622aa46de229ed7a11d55a0560b17327fc57902d61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpmnyjlw.exe

Filesize
58KB

MD5
983f0a85dd0f67a413e5313ccc7f1b61

SHA1
1f1039ae30078f498d779aa66145ffe3632d62ae

SHA256
92883dabbaf962d266fedc60db122cae7870e0d318dad53dc54afb2960b63bf3

SHA512
0ffa1822454853f4a92ee7338574d7ae650a13d5539e130986f753c3c5b622ce72f1623eeaf095ef2d907622aa46de229ed7a11d55a0560b17327fc57902d61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wosuglyolox.n

Filesize
568KB

MD5
2965f0467ffd2eb78dbb9ed45552c3bb

SHA1
4840f44b35c8db031242bca5d462320761a21a19

SHA256
4f740b812709b4fb5bec416f2be255a078d36eaf49f52e54f2291fb49befe842

SHA512
9f22b7934395a56750148d36fa821d7697219d30b27fd2251fd532ddc5e5d18c3c2f7e5efb5eb5505f09d70fb03c9862dd8d6a61e959e54c97c2692017b924ef

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
543KB

MD5
6659948eb5a432df9a27642d86a5045a

SHA1
9a61921fbb7664e243ad8cb4517fdafe5d869787

SHA256
f4e69aa1f3749ee5a603722e233056c11c1f0ceff4bad4192b119e9d172bbc4e

SHA512
ad1215f30b283f56a6627f333aff06f7382784a1676e6b5a5e293de03bbdc31a07be5ba03a006ac9a69b1fa2b72ea8cfb8e14c874870dc20404fa0664788b833

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
543KB

MD5
6659948eb5a432df9a27642d86a5045a

SHA1
9a61921fbb7664e243ad8cb4517fdafe5d869787

SHA256
f4e69aa1f3749ee5a603722e233056c11c1f0ceff4bad4192b119e9d172bbc4e

SHA512
ad1215f30b283f56a6627f333aff06f7382784a1676e6b5a5e293de03bbdc31a07be5ba03a006ac9a69b1fa2b72ea8cfb8e14c874870dc20404fa0664788b833

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
543KB

MD5
6659948eb5a432df9a27642d86a5045a

SHA1
9a61921fbb7664e243ad8cb4517fdafe5d869787

SHA256
f4e69aa1f3749ee5a603722e233056c11c1f0ceff4bad4192b119e9d172bbc4e

SHA512
ad1215f30b283f56a6627f333aff06f7382784a1676e6b5a5e293de03bbdc31a07be5ba03a006ac9a69b1fa2b72ea8cfb8e14c874870dc20404fa0664788b833

Download Submit
memory/5112-161-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5112-165-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5112-168-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5112-169-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download