darkcloud | e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395

Analysis

max time kernel
37s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
Size

1.3MB
MD5

accbbf5ca2c67a5d6f0b4bab71b5a81d
SHA1

61816822b97a25ad36575520560c4eaca7876d7c
SHA256

e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395
SHA512

4fce6d4a824ff290c3b36d54e477c1d17050d28cc2d43defa4aa90f7715bc9b2b5a41b8b41518d573206788ccd36b7026f5d65064e7465809680b6be97aa8c2f
SSDEEP

24576:DTbBv5rUDwcyw5LAXjXXRQFX8KZHbK5sUdSpUUBQjqfYTfz7V2EggiVE1+:dB1cL5UtQSWobCUUZ8V2Egy+

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 3 IoCs

pid	Process
760	kjnoepc.pif
648	RegSvcs.exe
1764	RegSvcs.exe

Loads dropped DLL 3 IoCs

pid	Process
1868	wscript.exe
760	kjnoepc.pif
760	kjnoepc.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kjnoepc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\kjnoepc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\wdnwqnp.msc"	kjnoepc.pif

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 648	760	kjnoepc.pif	31
PID 760 set thread context of 1764	760	kjnoepc.pif	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	RegSvcs.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1868	2016	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	28
PID 2016 wrote to memory of 1868	2016	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	28
PID 2016 wrote to memory of 1868	2016	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	28
PID 2016 wrote to memory of 1868	2016	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	28
PID 1868 wrote to memory of 760	1868	wscript.exe	29
PID 1868 wrote to memory of 760	1868	wscript.exe	29
PID 1868 wrote to memory of 760	1868	wscript.exe	29
PID 1868 wrote to memory of 760	1868	wscript.exe	29
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 648	760	kjnoepc.pif	31
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30
PID 760 wrote to memory of 1764	760	kjnoepc.pif	30

C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-ru.u.vbe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
    "C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\KMEDFD~1.PHQ

Filesize
710KB

MD5
eaead7d8d4ba97c305489a6ddbd159b2

SHA1
0fba620f34155f5b713bc9f100ac645689a6597a

SHA256
79958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93

SHA512
1c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

Filesize
1.1MB

MD5
b89e79a5a62c0264887be1c4ffae159d

SHA1
d682713d6dce62f880e3c47f0745f0869a928167

SHA256
1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

SHA512
dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

Filesize
1.1MB

MD5
b89e79a5a62c0264887be1c4ffae159d

SHA1
d682713d6dce62f880e3c47f0745f0869a928167

SHA256
1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

SHA512
dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\oejuf.pdf

Filesize
36KB

MD5
91e9ffe8f25752e6bf3b68772c1597c3

SHA1
3e4b2f8c1fa1f43b2446c31892a12c53c19d70b0

SHA256
e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669

SHA512
8c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\wdnwqnp.msc

Filesize
104.2MB

MD5
ff9335ab2246b275af6f3d74ae9a990e

SHA1
214327ef48e858f8e980ee97b174225441770dbb

SHA256
c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5

SHA512
97ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15

Download Submit
C:\Users\Admin\AppData\Local\temp\vsbo\Update-ru.u.vbe

Filesize
58KB

MD5
fd341bcb4b6d49d85ce7a6f5cd41189c

SHA1
61bb21e3a95a482ee2bd56afa5988ce3d6d70305

SHA256
49682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa

SHA512
27993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

Filesize
1.1MB

MD5
b89e79a5a62c0264887be1c4ffae159d

SHA1
d682713d6dce62f880e3c47f0745f0869a928167

SHA256
1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

SHA512
dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

Download Submit
memory/648-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-129-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/1764-131-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/1764-134-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/1764-137-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/1764-138-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download