darkcloud | e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395

General

Target

e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
Size

1.3MB
MD5

accbbf5ca2c67a5d6f0b4bab71b5a81d
SHA1

61816822b97a25ad36575520560c4eaca7876d7c
SHA256

e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395
SHA512

4fce6d4a824ff290c3b36d54e477c1d17050d28cc2d43defa4aa90f7715bc9b2b5a41b8b41518d573206788ccd36b7026f5d65064e7465809680b6be97aa8c2f
SSDEEP

24576:DTbBv5rUDwcyw5LAXjXXRQFX8KZHbK5sUdSpUUBQjqfYTfz7V2EggiVE1+:dB1cL5UtQSWobCUUZ8V2Egy+

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe

Executes dropped EXE 3 IoCs

pid	Process
2880	kjnoepc.pif
1272	RegSvcs.exe
1972	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kjnoepc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\kjnoepc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\wdnwqnp.msc"	kjnoepc.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 1272	2880	kjnoepc.pif	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1272	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1632	1512	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	85
PID 1512 wrote to memory of 1632	1512	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	85
PID 1512 wrote to memory of 1632	1512	e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe	85
PID 1632 wrote to memory of 2880	1632	wscript.exe	86
PID 1632 wrote to memory of 2880	1632	wscript.exe	86
PID 1632 wrote to memory of 2880	1632	wscript.exe	86
PID 2880 wrote to memory of 1972	2880	kjnoepc.pif	91
PID 2880 wrote to memory of 1972	2880	kjnoepc.pif	91
PID 2880 wrote to memory of 1972	2880	kjnoepc.pif	91
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92
PID 2880 wrote to memory of 1272	2880	kjnoepc.pif	92

C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-ru.u.vbe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
    "C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\KMEDFD~1.PHQ

Filesize
710KB

MD5
eaead7d8d4ba97c305489a6ddbd159b2

SHA1
0fba620f34155f5b713bc9f100ac645689a6597a

SHA256
79958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93

SHA512
1c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

Filesize
1.1MB

MD5
b89e79a5a62c0264887be1c4ffae159d

SHA1
d682713d6dce62f880e3c47f0745f0869a928167

SHA256
1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

SHA512
dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

Filesize
1.1MB

MD5
b89e79a5a62c0264887be1c4ffae159d

SHA1
d682713d6dce62f880e3c47f0745f0869a928167

SHA256
1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99

SHA512
dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\oejuf.pdf

Filesize
36KB

MD5
91e9ffe8f25752e6bf3b68772c1597c3

SHA1
3e4b2f8c1fa1f43b2446c31892a12c53c19d70b0

SHA256
e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669

SHA512
8c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbo\wdnwqnp.msc

Filesize
104.2MB

MD5
ff9335ab2246b275af6f3d74ae9a990e

SHA1
214327ef48e858f8e980ee97b174225441770dbb

SHA256
c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5

SHA512
97ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15

Download Submit
C:\Users\Admin\AppData\Local\temp\vsbo\Update-ru.u.vbe

Filesize
58KB

MD5
fd341bcb4b6d49d85ce7a6f5cd41189c

SHA1
61bb21e3a95a482ee2bd56afa5988ce3d6d70305

SHA256
49682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa

SHA512
27993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14

Download Submit
memory/1272-204-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1272-208-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1272-211-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1272-212-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing