Malware Analysis Report

2025-04-13 21:07

Sample ID 230723-hd4masde24
Target 936-506-0x0000000000400000-0x0000000000477000-memory.dmp
SHA256 856ef00b309506f974d75cd7a1354d2009e36c75fd30264c3507ba805ec7b173
Tags
darkcloud
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

856ef00b309506f974d75cd7a1354d2009e36c75fd30264c3507ba805ec7b173

Threat Level: Known bad

The file 936-506-0x0000000000400000-0x0000000000477000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

darkcloud

Darkcloud family

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 06:38

Signatures

Darkcloud family

darkcloud

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 06:38

Reported

2023-07-23 06:40

Platform

win7-20230712-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 06:38

Reported

2023-07-23 06:40

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{35687760-C69C-459A-8C73-4D86BF2B0A3E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.214.17.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.221.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wsuA75C.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 a37a38eddf59c6ce17db1cb073b5293f
SHA1 86c8d5ec01ab3eeba6dfd7fa020e22cfe114e5ba
SHA256 3390dc23230ff084077a447cb524827ee053e485ba35f5db470cecbf62e0f7df
SHA512 c8afda83a48f21cf8ed249da4dad4365db6cf246afa80eec79ce0418289204cc9f768bbd734a1e2ac69003b412f633094bea2f268dbf4467c2af2c301440a816

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 9b6102abd8c38f791f0517bad60306eb
SHA1 dd3a5d06dc30f343b8da39e754cc9fc1235f5ec6
SHA256 a99b3b7bde22c685295a450d8cc3b4f5f6a767af2f93c9782f9b4b9f9af29316
SHA512 18dce146d7e2a36bbbb2a6fc4c5ffb3e645ceeb2f4e58734e1b680c4f89a41b3203845e36f4da03d5112063b523be59ee98213b390f329165dd477aebdeed051

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 77426eebc0801c4e5ba8051f23fd497f
SHA1 c6097919a73afa4f2cd46d9fca1a5bb806315c9d
SHA256 3c73b74f0e73bcd5777186eaa9bb1b5f081f3d849202d5603fe398053f348fcc
SHA512 0ea92e2cc42c458265a7e94468eb5b6cd13f2f7d98ca69a0bbabd5c817ba604a4a4fbf11e61ec27a394f9a4fc08d0dcf2c21cf236797f60c7acb834f2852c283

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 6e95823fdf5aa50e1e65b23f74a3bbed
SHA1 f100fbc86c1cff86ac3283edf127e2b1f03f3920
SHA256 ad34a1a08bc40a234728fef3b2e113a9f101e96f03f0b94934d5d4f511bb1172
SHA512 afac560f387dd9dfb8a220f8b2038f1fab2bb75453fd63cb901b6bb7c91ddaa02655c92bff7bdaa43090e6eb3d44a38dc77e1339f9dfe752f2813d5c1cf08a20

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 f6a70cebf35fca256c80056c3b766c86
SHA1 43848e03e1b70efd07cb574c8bed3d453021e6c4
SHA256 84487dc415fbe3a5bfd7cbda31091c6358eef3ff24f401a2ca7083c5ffd55c7d
SHA512 ec2432afc4cc445b2a86deb8b835c844adb950b85a30511150c30fde34e2ba393fe44c2fee2e7bb7fc37f733cbea10a52c12cbe341d1589a023bb50de414d7b3

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 5c76878e092092d12763e75c7794a795
SHA1 80a6d01b96ecf6cf54b631df986c9824d42ce891
SHA256 9d07631f9cd34b1f41c12c27e0c67415e3447dc0dd266616280f2a272e140206
SHA512 218f7404f3980bc03aa1ae791b686fcb088f9f061665046bd07d2dc111977b4902a8e25e4c9cacad0f93a93606c032b728e3262613a727313f1e58cf1388cd67

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 363d36de5e210cba712906de9a45f1bd
SHA1 94ad919309090a6108256f8b67af9d7f80e87f32
SHA256 5313f503a3f15ae393d57ee3b4d29cd642009afe9eb16f16e79982c86c5d9697
SHA512 c1f4b9695cf76fdb07eebd54c58046f2221f50f416917934b3c24efd56328defaf549ee77671310604d0a83a0303e2fecd5b9b1f592d8a6c0ab4b25ea15bea6c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 4fe3a64fdd3f2c670031284b56cc14be
SHA1 eeb30e34c3ba51eb5a41677a61e1cf82eb79fbc4
SHA256 5a02a3009b0b60327fd7494a37326ee894c0d31a3274041967232a4536ac2989
SHA512 81f032d81109b80f90664ca43b988c40d99bedf2856e54d4615043b025c24acb9d133e45399bed4c45ebfd720294c0f5eb64fb7c57c5cbae4fb5a5062b015377

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 df872d21b1c76b7c19f34e7284d67cd4
SHA1 954b373eaaa851b384536d49ab714766855d07c8
SHA256 d20b91a4e62dedb37f55b7a1a31e5e54dc2a3baec0668194861dcc129bc8768a
SHA512 8f979c2383dc120d5c0e20842dd037fcb5ca5fea806ed682a30e70cbb42ca0613d34f5ef2d4bccef593215c384145e32be3e87466db75a5924a5807e645cbc57

memory/3616-545-0x00000256C9340000-0x00000256C9350000-memory.dmp

memory/3616-564-0x00000256C9440000-0x00000256C9450000-memory.dmp

memory/3616-580-0x00000256D17A0000-0x00000256D17A1000-memory.dmp

memory/3616-582-0x00000256D17D0000-0x00000256D17D1000-memory.dmp

memory/3616-583-0x00000256D17D0000-0x00000256D17D1000-memory.dmp

memory/3616-584-0x00000256D18E0000-0x00000256D18E1000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 36269a8e7b9e17f6c9dd15b5974a4e23
SHA1 08c1eacc4454ab456816eb1fd86bd8bd9c4ca8a1
SHA256 94dc365928ff90b1d4156ffd6c3b1f1acbff425cab077e9d0a3904a7a225d732
SHA512 f8b975e92d18e6316362fc5d69057c8b32eb148922f207e31d11cf9023b5aa8e5de8d14e98c740cc64a293164a333828ef1ab962c47153181c587b304b712a5a