Analysis
-
max time kernel
186s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 20:57
General
-
Target
SecuriteInfo.com.Win32.TrojanXgen.29310.exe
-
Size
1.6MB
-
MD5
3d1072986b88dc6184e40ba0df6acfc2
-
SHA1
3dced4443af3c9591c948c827ac5b02bd0d31029
-
SHA256
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
-
SHA512
6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
-
SSDEEP
24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
DarkCloud
An information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanXgen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanXgen.29310.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanXgen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanXgen.29310.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a57c3655110bd01b6d8d66d258e6663c
SHA12d7b5fe6280f7b62506ff7235aaf8d7235eb12b3
SHA256266120dac36d64df9d56f2e76a1aab60e6f5e5a7ffb8e7aabc7b5b84dd046538
SHA5120902f204e0ace5f47d9c78fe8de4fda2ded47ae4db03851ad11b58e82a86a47ebfdc5dc4fe1979f4d9f9a3a5ced33c2ab16f64d1e3bbfbc254f45652da697385
-
Filesize
1.4MB
MD51ed09c4029b356d190430383bce47c68
SHA15feafc65bdac033bfe965922218718f145296535
SHA25654e2e89e91b1bb34effe83aa6e24204c1828e4f5567fd9b2d98e0dc50df7d44a
SHA512e2d04e2bfd85a2803daf70a6fa357df6de9b23abda47d421c370cc974d9853f932478a638c0dca350c237e2fca021d205dbe098792b83e1d17892692425251ea
-
Filesize
1.5MB
MD528248c8bd65dc3c5b2113ead8d2eeacb
SHA12399361dd7bb077f2ee42c76fdfd5f75a58192db
SHA2569de2ff4b7d68a208d112c6dae856751b9f6e9674655f4bdd34d84200b7ede09d
SHA512faf311c49eda333cdb0a5b0114b66e7dca5c446695696db532a9decb700c25b6ee51975a16700288a98a93ec6b14c290dea280bfcb6c98dd2ab581e2560f15ea
-
Filesize
2.1MB
MD5812478febb7bc08f2753294eb788e85e
SHA150d87dcb7d769a4f0a6e978c76157a69d339b126
SHA256f97ce8e42736076dc90601b20aa7ae225004402a6381308c7e20123436b4a450
SHA512a6c18be1356f73c7c95dfac6fabde30c2e1e6db390b4b6adbef941185915b846392acaf24bfa80b700467317ef3a820c84e81f0a39801cf22a70e4a004aeafee
-
Filesize
1.2MB
MD51f1a59922f17684c427e3b52a63b2e4f
SHA119b4c67e0c1e97c9e4f0a0ee05d5b55187cca709
SHA2564dc6eec88f9c3f7f6ac4de813d4a16fcfa34147396e6bb2d53df67dd16b91bf2
SHA5120f917c64b47a873726493b766e7ca47e7c105482c1733efb52455554e4b73be992202f40e445d27990a879e200b2b979091be752a6ce8522617231881e1b70bb
-
Filesize
1.7MB
MD5e925a1dde776c7f50d0b3bd4385d54c2
SHA10d029c0cccddf759116b97cfbe15bf5035a767dd
SHA256a653e2fb9f116522455239891e0aacfe68d710994bea937b5f79ea3e0732dded
SHA512e08c9e420f20213d12f9bf9ddc3532e5fe83b0e8338e7597aaf7b650611608e31ce477cb220720e4e65ec13eaeb15043ef711e55608de06afc1054c6d3a73ac7
-
Filesize
1.3MB
MD505203711b873d3aea40bdd49d73b3b83
SHA14ef1d79e2828c410a4876c44d1d968b9c8810dc2
SHA2568d5a4c53e89e77f3cd2fc89aa82fb28b08a8574ac9b8746015e98b50db48c7e4
SHA512c61a09b579ed9d7e39f514ce4b080f24d2b8266524e02807c45374c94d14ded2554b89def896f09059f2c49ed25c0e01adeafb1f2eab128c0f0bba8590b4b5cf
-
Filesize
1.2MB
MD55dcd1d137251759058746d0beb5c5032
SHA17f8f1f2655efe36d08154385c1109df554dd9536
SHA2566819aed834675f93c7f5ae23610c687613d78eeea0a3128e40fedacecb2b7bae
SHA512839661e0881f8e8185a1e23b381927fdd5894d961ef10f7865e4282138b3fa4b780d5272519cd80e7b54704938e07371d6210f14f92ff4fba4c964050334c15b
-
Filesize
1.2MB
MD5640f8594892d5ce973b29683d7741660
SHA1f7b859ed92fac1d87b7674f1ce441bb546a881c7
SHA2568ebc306c1be6fa4e6284e03d5432f74ee958fe3fb29ccaf0564fb05bb5f6b5a7
SHA512e3a74c5dcf5c0b83881e199b3fc8171c79ba94a402538e492c0b0b324fbc817a03cf4fd502127d5e49ff3524cee67ef993da75adb0739cb1f109cecce62824e3
-
Filesize
1.6MB
MD5e0d12bc9fa704599233a12a4e0479594
SHA137ff78ea44459fcdc8791c176228d5278b1b7c1f
SHA2565e63c02a1200cd8ffec329907e61359f2ec89f06140221cf8a4e38882df6bf39
SHA512b7f44c57842cd29e10e9c04d623c11798077375613626eabd31b514f668def7b70f1f644270e7a3d74c4a35b045622c0d4c2784997191733020267251877512e
-
Filesize
1.6MB
MD5e0d12bc9fa704599233a12a4e0479594
SHA137ff78ea44459fcdc8791c176228d5278b1b7c1f
SHA2565e63c02a1200cd8ffec329907e61359f2ec89f06140221cf8a4e38882df6bf39
SHA512b7f44c57842cd29e10e9c04d623c11798077375613626eabd31b514f668def7b70f1f644270e7a3d74c4a35b045622c0d4c2784997191733020267251877512e
-
Filesize
1.3MB
MD5eaf58c14b6143670cdb19f845796f094
SHA1a60be48fa743a5f7e77a4e22c733f47f97320100
SHA25651713f09071a1e3fcbd3326220276160041ffff143ec7b21eebd848d1794ea9d
SHA5129b4940c6877567160388edc534378fa1bc378c92164b004f72948bc85c45c071ebdc4cc7a9c1204624eaeb35f93146477e4f53ad7e3817e24f38d207a34eea82
-
Filesize
1.4MB
MD5622a7f26756b31ca3b8aaafd6a599d63
SHA13345017f4101076e70a725c6db2ef47a775652f3
SHA256cc1d2b74dd36c2d270ca8186427e6d2dcc6d3e49029b77c462aacffe986bd563
SHA5122cd6f92e669f9df256c7f57b480ef8ec20536dd3ff1af59660a50fdda005511a1ad33faaaf8f7d7a118cc9eb7c5ac7db49d629eb417bae27a3777cf301484e03
-
Filesize
1.8MB
MD5692a67a05f0e3b7df76310f5993541ca
SHA1de31405f0e08fc5764beb9bc67985a906ff04a53
SHA2567628d99388c8bf6fb0e3226960990674517f52d538609be37a0598b1df10416a
SHA5120ce68a1f2d453fa1feff72b997962b936b0652d4763bd39ae9563008f965879f30009e7000ab8f628251cae37fc48c9575b83c28d921605180b4fddeb604f5f1
-
Filesize
1.4MB
MD5a872a680570a2d329477166a84649d8f
SHA195c5a47be97c0243593a4b0e0ca7e5577f50c295
SHA256bd4d33ac838b72a68c889c31c2c46fb99320e6f11ba7e771c5624272464d6bb0
SHA512a9d34c3d8ec2b849efe9ba0c5e43e711021df310671934edb1a694c413e8a48f414419a710fac2cdb0ef28559018f99f95e4a1b99e7436f3377c7b5206f32c95
-
Filesize
1.5MB
MD55fec79b5177f3369d7a15e8b73b1ed9a
SHA18794c363bbecc52490a5284eb7d40c2962ad0490
SHA2567f93cb9beb20f9aea7d58e6eb2e314320e4d4cbc3f39d2a997f2b12d0e1b8e82
SHA5125d2eaef101fa6c99e7d9733949d31c70ee5cbd3c52f5ff408024f8d5a6804d5f035f10c773a28eb4e3189fde6990616ea5f2d5615263852dcc1696749be13f0d
-
Filesize
2.0MB
MD5e8fd2c2f8cb97ae11c2bffbf6551c938
SHA154762630b0f8452c2451be88665cd93671110b64
SHA2569bb1dd072af816dbf578a612fba6f7622d6c28af8f2f057d8a51e0e44e64bc3f
SHA5126b7b1ca18b4f11a04c0f1b9a3174ae32a4d4755fc95b5127e8dc2fb4ce2249628eab16a24693562d45817dcc14bff214be521ae05ca1f4f2c60dc2f7c081d792
-
Filesize
1.3MB
MD5fcecb2a8ca39db7ce08c0f99160eba1e
SHA1e9ca99aff600b945bd4d0f6be849b205161ec1d5
SHA256a4a777e8c6bbf01816ff9307af55911fb1d311f17458bcd74d49d6a0c6a31fb6
SHA512685a7d5319554d4c487b1108a420c03834b2418fd8018681e5cacd181e779998628787c4f02b9d1cd11d30da465457559c0250d04c1a341d7f39501474295a99
-
Filesize
1.4MB
MD531a8bfc91ae062b8d4118be2d515d687
SHA1bcca4b958be563dc5387e014b7cfaa2162ef451b
SHA25698b9ead4ad17a0f33f71ec26437d487a8e923037c51247973a8c7b9b5e3e260c
SHA512a0a3310c8645ff2a8cdae31d4e9f831d92bf5bf01fec9aca8649128394153bb345856ab90b832f3e4c4f44c074f63a48cdce2fbf1f7722ac7fb13a6f6fbab57f
-
Filesize
1.2MB
MD550042fc53b09665e46c89f0566e108a3
SHA10e7193f91dccc796ee0532e25d351fbe5edaf50d
SHA256ad2eed0dafa94a928875799cd8b06d8869cc7a9a93e66f52c3e5e69354ac1f0f
SHA512c430aca00b43d33583776e7b6e66b4f64b66352f215a71c1ff2010ca6e8e12dc2d797ff0fbd8c6a297b8211f5cbf4893d7b24905d904a0885eee5baef4f17f2f
-
Filesize
1.3MB
MD56f0735336f2060ffb3004523c2a763d9
SHA1cb763e856791a04f49e2dc89c9e1ed3825e3553a
SHA2564a5957fb455f663063d3e9b4c5425c4ba977d1b9b8d071d78c20e1a7e078052e
SHA512b3dc61868abc3eff5589d73e10447aa940f603112424c2b4349835d83838ca4958b62e6bdad0e377837eff178492fdef763ded7b64b3fb676462f7606904475d
-
Filesize
1.4MB
MD5c105623d9514f35f76513769b41eec15
SHA149edf5c526e371587ab22c63b3c2882e776895d5
SHA25652706752166ccfc35409e603616257b27e16a2069cd689038bb60151335f3523
SHA512b6dc2efdaed01eceb709aa72d646a1bcdc4253d84a50e0aca3e714298305c1392276f7b9f77740e103cf29afa3c74d8e85baa2484e8013154739e4f3901b80f8
-
Filesize
2.1MB
MD5ce9ed76ba23fc87a4f1ab8ccf98fcf60
SHA15b65bd92749268f7c6b31202a6e2e1a06db5c96d
SHA2564f20b1c993b324bbb0da45034e67227759e42afb445257408a99ed167c932762
SHA51254a61a268f489456322c17871079998aedfb4ae3ebbdb3e60417c7660809cfba591a2e6f88a0ac8bde68f0fe6719c4f71a1e54442f3293da2908d5a58efda6f5
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
2.1MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.5MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB