Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24/07/2023, 17:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
__T_____.EXE.exe
Resource
win7-20230712-en
5 signatures
150 seconds
General
-
Target
__T_____.EXE.exe
-
Size
973KB
-
MD5
aba88143cd94bee22ac746f3ffa282c7
-
SHA1
378ddf1acf1f60f0601672b9ae4a14a1a0166e7a
-
SHA256
b486b79e598d35b293908f445bd1c571d0a7439e548928f19c21a0d70cfcf330
-
SHA512
521f8907e8d65a758b599a208790fd8d2ea8706bd7ef5ba55cffb6fad1fb0a7737e95c1c174948a569af35dddf51065ed09b9913969cbf6bb8189229c613536c
-
SSDEEP
12288:QOvJRBusyx5tOIIRwaaLGBlN6mfc7of3hdwP/cQi3pDvi4OWbDlX9hle4dDMG3GQ:TFud+KaaLaNc7c3v8ultBeuZB9
Malware Config
Extracted
Family
darkcloud
C2
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage?chat_id=1909112828
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 2240 1716 __T_____.EXE.exe 30 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2240 __T_____.EXE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2240 __T_____.EXE.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30 PID 1716 wrote to memory of 2240 1716 __T_____.EXE.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\__T_____.EXE.exe"C:\Users\Admin\AppData\Local\Temp\__T_____.EXE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\__T_____.EXE.exe"C:\Users\Admin\AppData\Local\Temp\__T_____.EXE.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2240
-