Analysis

  • max time kernel
    114s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 18:58

General

  • Target

    c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe

  • Size

    956KB

  • MD5

    ae39d887355354bbe63f6cec19518ec0

  • SHA1

    3c87093e3f49d666fec1c7e6c1dcd26527e49e9e

  • SHA256

    c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7

  • SHA512

    409b51659d0105e126351ea02a80b24515123d70426a129eb8b4ec418d095b7a16ec1754ad8a4d8f68c2a7d299d97bb37a56badf3ec5e09fab5a2ea6e576e823

  • SSDEEP

    24576:5m0/34HuosqDIdxe/KhMangc1iO3+zXPqcT:MsIHVsqDCXnK2+zXPq2

Score
10/10

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5747177798:AAGv5MNvuUjtsZ9QlXMkdP6QssoMkGFSw6s/sendMessage?chat_id=805410216

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe
    "C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe
      "C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe"
      2⤵
        PID:1476
      • C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe
        "C:\Users\Admin\AppData\Local\Temp\c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:572

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/572-62-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-72-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-71-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-68-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-63-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/572-66-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/572-61-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2036-57-0x00000000002A0000-0x00000000002E0000-memory.dmp

            Filesize

            256KB

          • memory/2036-60-0x0000000004460000-0x00000000044DC000-memory.dmp

            Filesize

            496KB

          • memory/2036-59-0x0000000005710000-0x00000000057BE000-memory.dmp

            Filesize

            696KB

          • memory/2036-58-0x0000000000270000-0x000000000027C000-memory.dmp

            Filesize

            48KB

          • memory/2036-54-0x00000000008C0000-0x00000000009B6000-memory.dmp

            Filesize

            984KB

          • memory/2036-56-0x00000000001D0000-0x00000000001DE000-memory.dmp

            Filesize

            56KB

          • memory/2036-55-0x00000000002A0000-0x00000000002E0000-memory.dmp

            Filesize

            256KB