Analysis Overview
SHA256
856ef00b309506f974d75cd7a1354d2009e36c75fd30264c3507ba805ec7b173
Threat Level: Known bad
The file 936-506-0x0000000000400000-0x0000000000477000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Darkcloud family
Drops file in System32 directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-23 06:38
Signatures
Darkcloud family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-23 06:38
Reported
2023-07-23 06:40
Platform
win7-20230712-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-23 06:38
Reported
2023-07-23 06:40
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{35687760-C69C-459A-8C73-4D86BF2B0A3E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.214.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.221.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wsuA75C.tmp
| MD5 | c01eaa0bdcd7c30a42bbb35a9acbf574 |
| SHA1 | 0aee3e1b873e41d040f1991819d0027b6cc68f54 |
| SHA256 | 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40 |
| SHA512 | d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | a37a38eddf59c6ce17db1cb073b5293f |
| SHA1 | 86c8d5ec01ab3eeba6dfd7fa020e22cfe114e5ba |
| SHA256 | 3390dc23230ff084077a447cb524827ee053e485ba35f5db470cecbf62e0f7df |
| SHA512 | c8afda83a48f21cf8ed249da4dad4365db6cf246afa80eec79ce0418289204cc9f768bbd734a1e2ac69003b412f633094bea2f268dbf4467c2af2c301440a816 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 9b6102abd8c38f791f0517bad60306eb |
| SHA1 | dd3a5d06dc30f343b8da39e754cc9fc1235f5ec6 |
| SHA256 | a99b3b7bde22c685295a450d8cc3b4f5f6a767af2f93c9782f9b4b9f9af29316 |
| SHA512 | 18dce146d7e2a36bbbb2a6fc4c5ffb3e645ceeb2f4e58734e1b680c4f89a41b3203845e36f4da03d5112063b523be59ee98213b390f329165dd477aebdeed051 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 77426eebc0801c4e5ba8051f23fd497f |
| SHA1 | c6097919a73afa4f2cd46d9fca1a5bb806315c9d |
| SHA256 | 3c73b74f0e73bcd5777186eaa9bb1b5f081f3d849202d5603fe398053f348fcc |
| SHA512 | 0ea92e2cc42c458265a7e94468eb5b6cd13f2f7d98ca69a0bbabd5c817ba604a4a4fbf11e61ec27a394f9a4fc08d0dcf2c21cf236797f60c7acb834f2852c283 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 6e95823fdf5aa50e1e65b23f74a3bbed |
| SHA1 | f100fbc86c1cff86ac3283edf127e2b1f03f3920 |
| SHA256 | ad34a1a08bc40a234728fef3b2e113a9f101e96f03f0b94934d5d4f511bb1172 |
| SHA512 | afac560f387dd9dfb8a220f8b2038f1fab2bb75453fd63cb901b6bb7c91ddaa02655c92bff7bdaa43090e6eb3d44a38dc77e1339f9dfe752f2813d5c1cf08a20 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | f6a70cebf35fca256c80056c3b766c86 |
| SHA1 | 43848e03e1b70efd07cb574c8bed3d453021e6c4 |
| SHA256 | 84487dc415fbe3a5bfd7cbda31091c6358eef3ff24f401a2ca7083c5ffd55c7d |
| SHA512 | ec2432afc4cc445b2a86deb8b835c844adb950b85a30511150c30fde34e2ba393fe44c2fee2e7bb7fc37f733cbea10a52c12cbe341d1589a023bb50de414d7b3 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 5c76878e092092d12763e75c7794a795 |
| SHA1 | 80a6d01b96ecf6cf54b631df986c9824d42ce891 |
| SHA256 | 9d07631f9cd34b1f41c12c27e0c67415e3447dc0dd266616280f2a272e140206 |
| SHA512 | 218f7404f3980bc03aa1ae791b686fcb088f9f061665046bd07d2dc111977b4902a8e25e4c9cacad0f93a93606c032b728e3262613a727313f1e58cf1388cd67 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 363d36de5e210cba712906de9a45f1bd |
| SHA1 | 94ad919309090a6108256f8b67af9d7f80e87f32 |
| SHA256 | 5313f503a3f15ae393d57ee3b4d29cd642009afe9eb16f16e79982c86c5d9697 |
| SHA512 | c1f4b9695cf76fdb07eebd54c58046f2221f50f416917934b3c24efd56328defaf549ee77671310604d0a83a0303e2fecd5b9b1f592d8a6c0ab4b25ea15bea6c |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 4fe3a64fdd3f2c670031284b56cc14be |
| SHA1 | eeb30e34c3ba51eb5a41677a61e1cf82eb79fbc4 |
| SHA256 | 5a02a3009b0b60327fd7494a37326ee894c0d31a3274041967232a4536ac2989 |
| SHA512 | 81f032d81109b80f90664ca43b988c40d99bedf2856e54d4615043b025c24acb9d133e45399bed4c45ebfd720294c0f5eb64fb7c57c5cbae4fb5a5062b015377 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | df872d21b1c76b7c19f34e7284d67cd4 |
| SHA1 | 954b373eaaa851b384536d49ab714766855d07c8 |
| SHA256 | d20b91a4e62dedb37f55b7a1a31e5e54dc2a3baec0668194861dcc129bc8768a |
| SHA512 | 8f979c2383dc120d5c0e20842dd037fcb5ca5fea806ed682a30e70cbb42ca0613d34f5ef2d4bccef593215c384145e32be3e87466db75a5924a5807e645cbc57 |
memory/3616-545-0x00000256C9340000-0x00000256C9350000-memory.dmp
memory/3616-564-0x00000256C9440000-0x00000256C9450000-memory.dmp
memory/3616-580-0x00000256D17A0000-0x00000256D17A1000-memory.dmp
memory/3616-582-0x00000256D17D0000-0x00000256D17D1000-memory.dmp
memory/3616-583-0x00000256D17D0000-0x00000256D17D1000-memory.dmp
memory/3616-584-0x00000256D18E0000-0x00000256D18E1000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 36269a8e7b9e17f6c9dd15b5974a4e23 |
| SHA1 | 08c1eacc4454ab456816eb1fd86bd8bd9c4ca8a1 |
| SHA256 | 94dc365928ff90b1d4156ffd6c3b1f1acbff425cab077e9d0a3904a7a225d732 |
| SHA512 | f8b975e92d18e6316362fc5d69057c8b32eb148922f207e31d11cf9023b5aa8e5de8d14e98c740cc64a293164a333828ef1ab962c47153181c587b304b712a5a |