Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2023, 11:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rDHLinvoice.exe
Resource
win7-20230712-en
4 signatures
150 seconds
General
-
Target
rDHLinvoice.exe
-
Size
1019KB
-
MD5
9df0f9a6c33e8fae591a26bab2783c33
-
SHA1
674f91753f7196278190e49ec9e36312259fc283
-
SHA256
262531be1dc4d521469be8ff7591f9d40861bcf7de7ff4f8a0ee1ba542713c0d
-
SHA512
cd733845846b2fa32c3f8a382e1d807e1428d6f96d6aa6505495e3b029784a88ae8598c268f1ad4b24318585d97d056c47542722893b87938e60e0111f78ad50
-
SSDEEP
24576:vFujX5NCaEaKZjF2VQUyj+iBve3HdXSrJN:vwej+eeNXSrJN
Malware Config
Extracted
Family
darkcloud
Attributes
- email_from
- email_to
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5DFBDE98-9FAF-447D-AC97-4DAE979B5BDE}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4360 set thread context of 1772 4360 rDHLinvoice.exe 95 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1772 rDHLinvoice.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95 PID 4360 wrote to memory of 1772 4360 rDHLinvoice.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"C:\Users\Admin\AppData\Local\Temp\rDHLinvoice.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:2096