Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2023, 17:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
__T_____.exe
Resource
win7-20230712-en
7 signatures
150 seconds
General
-
Target
__T_____.exe
-
Size
973KB
-
MD5
aba88143cd94bee22ac746f3ffa282c7
-
SHA1
378ddf1acf1f60f0601672b9ae4a14a1a0166e7a
-
SHA256
b486b79e598d35b293908f445bd1c571d0a7439e548928f19c21a0d70cfcf330
-
SHA512
521f8907e8d65a758b599a208790fd8d2ea8706bd7ef5ba55cffb6fad1fb0a7737e95c1c174948a569af35dddf51065ed09b9913969cbf6bb8189229c613536c
-
SSDEEP
12288:QOvJRBusyx5tOIIRwaaLGBlN6mfc7of3hdwP/cQi3pDvi4OWbDlX9hle4dDMG3GQ:TFud+KaaLaNc7c3v8ultBeuZB9
Malware Config
Extracted
Family
darkcloud
C2
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage?chat_id=1909112828
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5096 set thread context of 1812 5096 __T_____.exe 95 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1812 __T_____.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1812 __T_____.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95 PID 5096 wrote to memory of 1812 5096 __T_____.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\__T_____.exe"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\__T_____.exe"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1812
-