Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 09:53

General

  • Target

    LEIDA IMPEX SRL TRADING CO. INQUIRY.jar

  • Size

    1.8MB

  • MD5

    c43c2a5d2bab9cd217e91c14d302c835

  • SHA1

    943495ff135a870fe8d0a9886593b7610f0a4a05

  • SHA256

    44fbccda88d6e6050b012ee0d4d32c20a832f6ffe1d90158f4b0a3d42578ae18

  • SHA512

    b8673280a0e468b9921df960216ea0123b4e75a7e325072d26ac214528d51964b32ba604e1d97ca6676cbd4ef3645452958a15b0a0b3ad70704bff532b3d0c7d

  • SSDEEP

    24576:qgeLSt2iaVQY0Vdn/Q55O6tIPHvNP1D1KZm6LSt2iaVQY0Vdn/Q55O6tIPHvNP1j:UfVQfoCNPN0ZmofVQfoCNPN0Zml

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4268
    • C:\Users\Admin\alWFwCPZYm.exe
      C:\Users\Admin\alWFwCPZYm.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZxmqkq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZxmqkq.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2724
    • C:\Users\Admin\xXM7jN.exe
      "C:\Users\Admin\xXM7jN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1284
        3⤵
        • Program crash
        PID:4708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4508 -ip 4508
    1⤵
      PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

      Filesize

      46B

      MD5

      31238beea1da2441e737243c7bf7eef1

      SHA1

      3dca080f1b8d273f4141fcfcd563bafbe3cf6e19

      SHA256

      cf3fd3c008c48db96c9892214c6ae5190c299c1bea44d029db1bdd0cb779740b

      SHA512

      bb5606d4845226c35cbcdbae0bc32af9819f83c5ac3f5caa05faf7803d1971499e44fe850a79f920282a39b134d53a21aa753bb3932345c87035bf2bedebe43e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc5ptew0.w3s.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp

      Filesize

      1KB

      MD5

      3ba1e01e023355281bf152bf2af6bcb7

      SHA1

      d96da9eb2d2de95775c6af47e4e210d1c0c2e600

      SHA256

      49c6985bfec5e7f0649ee264697daab57cb7bd77f301ef63bbec57e0156be9f3

      SHA512

      e56459ca7ad15ca9189ab1cb7024aa1545b9af32bae900db68019bcf2c2eeffa942d45b91bb38639205b47502a6808cadf3ce4016e8415ab9c5f6912686df2f6

    • C:\Users\Admin\alWFwCPZYm.exe

      Filesize

      278KB

      MD5

      ee32f219486ce1932227f04eebf658c9

      SHA1

      4e09377d4c70f802976cdf3e4ca1147031fddb90

      SHA256

      09dca263933ec219226d1f0da9d886e7c5ddf5fef52f3a0232f8e6fc07a7db5d

      SHA512

      ca3c4e744bc7f72a21cae45c2155e57cb334d5b98233ed420d6b2de762085621b85564f4a279d7539f704364f3703eff0f9e07ce2fa2a872f1aa3608f9e91940

    • C:\Users\Admin\alWFwCPZYm.exe

      Filesize

      421KB

      MD5

      6b51945da574b5a59949da9ec64634ac

      SHA1

      4b5d014cd2fbfe841635958f290f2bfb5d6aa8c4

      SHA256

      b1a7b2f08874731e125d79556afc3fb4689e2472971beb42ff709fe2c15caa8d

      SHA512

      0a95ec7e5a9726e931c791d89ed218e8ba9c3fcb6fa08ec2b3ee319142773486b3b0531bfddd69f92fec66b4c0715e388193ed4760e924e82bad899528ed620e

    • C:\Users\Admin\xXM7jN.exe

      Filesize

      103KB

      MD5

      486b2bfa2c194ec6bac4582f90ec5abf

      SHA1

      92c8fe1a9027a3918b1324ca010ae6bc2cbc6e59

      SHA256

      9d4a521e9a4370d4fa97783403cfdc12489a2ec8b19c56508aac149491e66517

      SHA512

      007a7dfc4ea48523c8233bcae086d33106d0dfb6483e2bc270e172180abbd8604112cb74daaf204eb81cceb2e20cab8464491a569467c0fc0c027238f6191275

    • C:\Users\Admin\xXM7jN.exe

      Filesize

      26KB

      MD5

      9e5a5cd97d0d2fd85c73eb768b71eafa

      SHA1

      a67af7b93c92dc65c3cbec84ecc1d82e4b50bf99

      SHA256

      ac5ba2f18dee1e8f6700e63f5ac09831ebdd725b24b3c83fcf5280023455518c

      SHA512

      2f44ee8a86277344b0a2c9223e4107f85abd03e57a8c0c8fe7ec2af309559e6a7eea16e6475c157891402e54a79dca09e9250bbbefb5fdb23510ce990ac45007

    • C:\Users\Admin\xXM7jN.exe

      Filesize

      55KB

      MD5

      d1428f4056286654353dce96ec2d51ef

      SHA1

      5c8b5b9aa451a659e5d131ee290bbcbc27f4b2d8

      SHA256

      7efded20320193cdab8e8aa636c477d87376a1851b4ac036b2b1b5c94cc77b50

      SHA512

      2b55969ddf1cf682cc4116ff32ba98626dca16fce4a207e327908b3884fad82d853d5a613ff2ae90d2e8bec265d93d1da9e6bb9958b01778eee1945c8b0f1746

    • memory/1848-32-0x0000000005C40000-0x00000000061E4000-memory.dmp

      Filesize

      5.6MB

    • memory/1848-70-0x0000000006D60000-0x0000000006D78000-memory.dmp

      Filesize

      96KB

    • memory/1848-87-0x0000000009AB0000-0x0000000009B4C000-memory.dmp

      Filesize

      624KB

    • memory/1848-33-0x0000000005770000-0x0000000005802000-memory.dmp

      Filesize

      584KB

    • memory/1848-62-0x0000000005810000-0x0000000005B64000-memory.dmp

      Filesize

      3.3MB

    • memory/1848-30-0x0000000000CB0000-0x0000000000D8E000-memory.dmp

      Filesize

      888KB

    • memory/1848-101-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/1848-65-0x0000000006310000-0x000000000631A000-memory.dmp

      Filesize

      40KB

    • memory/1848-79-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-137-0x00000000071F0000-0x0000000007293000-memory.dmp

      Filesize

      652KB

    • memory/2284-139-0x0000000007350000-0x000000000736A000-memory.dmp

      Filesize

      104KB

    • memory/2284-149-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-145-0x0000000007690000-0x00000000076AA000-memory.dmp

      Filesize

      104KB

    • memory/2284-146-0x0000000007670000-0x0000000007678000-memory.dmp

      Filesize

      32KB

    • memory/2284-144-0x0000000007590000-0x00000000075A4000-memory.dmp

      Filesize

      80KB

    • memory/2284-143-0x0000000007580000-0x000000000758E000-memory.dmp

      Filesize

      56KB

    • memory/2284-123-0x000000007FC10000-0x000000007FC20000-memory.dmp

      Filesize

      64KB

    • memory/2284-124-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

      Filesize

      200KB

    • memory/2284-142-0x0000000007550000-0x0000000007561000-memory.dmp

      Filesize

      68KB

    • memory/2284-141-0x00000000075D0000-0x0000000007666000-memory.dmp

      Filesize

      600KB

    • memory/2284-125-0x0000000075540000-0x000000007558C000-memory.dmp

      Filesize

      304KB

    • memory/2284-138-0x0000000007990000-0x000000000800A000-memory.dmp

      Filesize

      6.5MB

    • memory/2284-140-0x00000000073C0000-0x00000000073CA000-memory.dmp

      Filesize

      40KB

    • memory/2284-135-0x00000000065D0000-0x00000000065EE000-memory.dmp

      Filesize

      120KB

    • memory/2284-136-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

    • memory/2284-95-0x0000000005340000-0x0000000005968000-memory.dmp

      Filesize

      6.2MB

    • memory/2284-93-0x0000000002720000-0x0000000002756000-memory.dmp

      Filesize

      216KB

    • memory/2284-97-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

    • memory/2284-94-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-122-0x0000000006020000-0x000000000606C000-memory.dmp

      Filesize

      304KB

    • memory/2284-110-0x0000000005270000-0x0000000005292000-memory.dmp

      Filesize

      136KB

    • memory/2284-121-0x0000000006000000-0x000000000601E000-memory.dmp

      Filesize

      120KB

    • memory/2284-116-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

    • memory/2284-117-0x0000000005B30000-0x0000000005B96000-memory.dmp

      Filesize

      408KB

    • memory/2284-119-0x0000000005BA0000-0x0000000005C06000-memory.dmp

      Filesize

      408KB

    • memory/2724-118-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

    • memory/2724-150-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

    • memory/2724-99-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

    • memory/2724-96-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

    • memory/4508-86-0x0000000007540000-0x00000000075EC000-memory.dmp

      Filesize

      688KB

    • memory/4508-115-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

      Filesize

      64KB

    • memory/4508-82-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

      Filesize

      64KB

    • memory/4508-120-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/4508-83-0x0000000074CB0000-0x0000000075460000-memory.dmp

      Filesize

      7.7MB

    • memory/4508-84-0x0000000006F80000-0x0000000006F88000-memory.dmp

      Filesize

      32KB

    • memory/4508-85-0x00000000070B0000-0x00000000070BC000-memory.dmp

      Filesize

      48KB

    • memory/4664-12-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

      Filesize

      4KB

    • memory/4664-81-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-34-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-31-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

      Filesize

      4KB

    • memory/4664-4-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-78-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

      Filesize

      4KB

    • memory/4664-18-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-71-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-80-0x0000020E9ABF0000-0x0000020E9AC00000-memory.dmp

      Filesize

      64KB

    • memory/4664-66-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-77-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

      Filesize

      4KB

    • memory/4664-75-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB

    • memory/4664-69-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

      Filesize

      4KB

    • memory/4664-104-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

      Filesize

      16.0MB