Analysis

  • max time kernel
    35s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2023, 12:30

General

  • Target

    e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe

  • Size

    1.3MB

  • MD5

    accbbf5ca2c67a5d6f0b4bab71b5a81d

  • SHA1

    61816822b97a25ad36575520560c4eaca7876d7c

  • SHA256

    e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395

  • SHA512

    4fce6d4a824ff290c3b36d54e477c1d17050d28cc2d43defa4aa90f7715bc9b2b5a41b8b41518d573206788ccd36b7026f5d65064e7465809680b6be97aa8c2f

  • SSDEEP

    24576:DTbBv5rUDwcyw5LAXjXXRQFX8KZHbK5sUdSpUUBQjqfYTfz7V2EggiVE1+:dB1cL5UtQSWobCUUZ8V2Egy+

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
    "C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" Update-ru.u.vbe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:300
      • C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
        "C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          PID:1792
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1144

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

        • C:\Users\Admin\AppData\Local\Temp\vsbo\KMEDFD~1.PHQ

          Filesize

          710KB

          MD5

          eaead7d8d4ba97c305489a6ddbd159b2

          SHA1

          0fba620f34155f5b713bc9f100ac645689a6597a

          SHA256

          79958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93

          SHA512

          1c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190

        • C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

          Filesize

          1.1MB

          MD5

          b89e79a5a62c0264887be1c4ffae159d

          SHA1

          d682713d6dce62f880e3c47f0745f0869a928167

          SHA256

          1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

          SHA512

          dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

        • C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

          Filesize

          1.1MB

          MD5

          b89e79a5a62c0264887be1c4ffae159d

          SHA1

          d682713d6dce62f880e3c47f0745f0869a928167

          SHA256

          1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

          SHA512

          dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

        • C:\Users\Admin\AppData\Local\Temp\vsbo\oejuf.pdf

          Filesize

          36KB

          MD5

          91e9ffe8f25752e6bf3b68772c1597c3

          SHA1

          3e4b2f8c1fa1f43b2446c31892a12c53c19d70b0

          SHA256

          e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669

          SHA512

          8c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a

        • C:\Users\Admin\AppData\Local\Temp\vsbo\wdnwqnp.msc

          Filesize

          104.2MB

          MD5

          ff9335ab2246b275af6f3d74ae9a990e

          SHA1

          214327ef48e858f8e980ee97b174225441770dbb

          SHA256

          c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5

          SHA512

          97ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15

        • C:\Users\Admin\AppData\Local\temp\vsbo\Update-ru.u.vbe

          Filesize

          58KB

          MD5

          fd341bcb4b6d49d85ce7a6f5cd41189c

          SHA1

          61bb21e3a95a482ee2bd56afa5988ce3d6d70305

          SHA256

          49682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa

          SHA512

          27993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14

        • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

        • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

        • \Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

          Filesize

          1.1MB

          MD5

          b89e79a5a62c0264887be1c4ffae159d

          SHA1

          d682713d6dce62f880e3c47f0745f0869a928167

          SHA256

          1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

          SHA512

          dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

        • memory/1144-126-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1144-131-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-128-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-135-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-127-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-143-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1144-145-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1792-134-0x0000000000400000-0x0000000000B08000-memory.dmp

          Filesize

          7.0MB

        • memory/1792-137-0x0000000000400000-0x0000000000B08000-memory.dmp

          Filesize

          7.0MB

        • memory/1792-141-0x0000000000400000-0x0000000000B08000-memory.dmp

          Filesize

          7.0MB