Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Purchase List Xls.exe

windows7-x64

10

Purchase List Xls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2023, 07:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase List Xls.exe

  • Size

    1.1MB

  • MD5

    fdbce7853fd4e5e1e10d6060f6dae122

  • SHA1

    32a258bccbeda4b9bba2d7bbc4679a31fa58bb81

  • SHA256

    8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde

  • SHA512

    d2c60a96d930296644ff3672f371c070bc9510ecb479fcc9585d9eedc3b7b2fe0186360570d16aa6ab813c772b821dcd8d55b81752e9de86c136435c0711fbf3

  • SSDEEP

    24576:yV1gBwoZLueV335shh2AvxocjcmLH3yd2OluON4fA9uC:yV1zoQAZbAv2vmD3yd2OluON4fA9u

Score
10/10
darkcloudevasionstealer

Malware Config

Extracted

Family

darkcloud

Attributes
  • email_from

    dkl1@lucd.shop

  • email_to

    dkl1@lucd.shop

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCCATp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA841.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2660
    • C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe
      "{path}"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA841.tmp
    Filesize

    1KB

    MD5

    f6f12f9c971f93ff022761f020d4faf7

    SHA1

    c66c7b71a738e8735afbe6e5ea7dd2f6174ee53b

    SHA256

    7317644994b253b322aad04da43bde9cc093610af4dad22430fbe230eb9406f8

    SHA512

    4a8e288e361156422b016eb043157c2727374f7d07219c4d53058ac0329906f854798b4adfaf5b3a5fe39cddd8d5353068ab5966b85eb25b665ec0326181a63d

    Download Submit

  • memory/2480-4-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2480-1-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2480-3-0x00000000003C0000-0x00000000003CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2480-0-0x0000000001130000-0x0000000001248000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2480-5-0x0000000000380000-0x00000000003C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2480-6-0x0000000005390000-0x000000000544A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2480-2-0x0000000000380000-0x00000000003C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2480-7-0x0000000004920000-0x00000000049A2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2480-23-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2792-13-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2792-15-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2792-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-19-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2792-21-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2792-11-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2792-25-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.