Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24/07/2023, 11:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rDHLinvoice.exe
Resource
win7-20230712-en
4 signatures
150 seconds
General
-
Target
rDHLinvoice.exe
-
Size
1019KB
-
MD5
9df0f9a6c33e8fae591a26bab2783c33
-
SHA1
674f91753f7196278190e49ec9e36312259fc283
-
SHA256
262531be1dc4d521469be8ff7591f9d40861bcf7de7ff4f8a0ee1ba542713c0d
-
SHA512
cd733845846b2fa32c3f8a382e1d807e1428d6f96d6aa6505495e3b029784a88ae8598c268f1ad4b24318585d97d056c47542722893b87938e60e0111f78ad50
-
SSDEEP
24576:vFujX5NCaEaKZjF2VQUyj+iBve3HdXSrJN:vwej+eeNXSrJN
Malware Config
Extracted
Family
darkcloud
Attributes
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2500 set thread context of 2300 2500 rDHLinvoice.exe 30 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2300 rDHLinvoice.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30 PID 2500 wrote to memory of 2300 2500 rDHLinvoice.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2300
-