Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 01:54

General

  • Target

    0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

  • Size

    986KB

  • MD5

    cdcfa8aab8a4766ddb88df4635104d83

  • SHA1

    7ad43cc7224f694995e53325a581e659eabe2e16

  • SHA256

    0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8

  • SHA512

    9948e0571bfd8a167ad456a7aa4380b7f73f0bc77475b827bb20303a5fe1bce03670900e275cec573c88df51cd42a2060012bba623c7358640af8e1209210acb

  • SSDEEP

    24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk

Score
10/10

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
    "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2620
    • C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
      "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"
      2⤵
        PID:1696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp

      Filesize

      1KB

      MD5

      463cd327d3e513344550f47f1a84e4b0

      SHA1

      cab2121180c408fe2b13e0763f6eafad10fb8a4a

      SHA256

      985f73850f31683037816aa9b2bada09230a3231f1a427ccd695b02ab270dcdf

      SHA512

      cb6cdbd06cb8a204be1bc7835aa8b0d9aeca6697c349b4a30ed7978576a57813bd4ac7942fda873f5bde7c5772419a206833a5688cf89c41f9058d1ce847b707

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZUOG1V122SN6TSOV4LT.temp

      Filesize

      7KB

      MD5

      841c0b3daee71608da23fc8fe88267a0

      SHA1

      ea97983481b974d9f6b70f2349371d45fd4ac398

      SHA256

      7df348e2d08d8a1765a11715f993e6f0ff0b1d95dc096f89abe1c117febeebe4

      SHA512

      b28889bd979f36b54276f17774ce519145b5931dd9865c042e2cdc6848ac739b93e85128bceb4c9218868fbf39d05788749f286d17e2d1e579fe1d95e131d85a

    • memory/836-0-0x0000000000140000-0x000000000023C000-memory.dmp

      Filesize

      1008KB

    • memory/836-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

    • memory/836-2-0x00000000072D0000-0x0000000007310000-memory.dmp

      Filesize

      256KB

    • memory/836-3-0x0000000000560000-0x0000000000578000-memory.dmp

      Filesize

      96KB

    • memory/836-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

      Filesize

      32KB

    • memory/836-5-0x0000000000580000-0x000000000058C000-memory.dmp

      Filesize

      48KB

    • memory/836-6-0x0000000007930000-0x00000000079D2000-memory.dmp

      Filesize

      648KB

    • memory/836-7-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

    • memory/836-8-0x00000000072D0000-0x0000000007310000-memory.dmp

      Filesize

      256KB

    • memory/836-32-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

    • memory/1696-23-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/1696-25-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/1696-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1696-29-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/1696-21-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/2700-35-0x0000000002130000-0x0000000002170000-memory.dmp

      Filesize

      256KB

    • memory/2700-37-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB

    • memory/2700-38-0x0000000002130000-0x0000000002170000-memory.dmp

      Filesize

      256KB

    • memory/2700-31-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB

    • memory/2700-39-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB

    • memory/2872-34-0x00000000025D0000-0x0000000002610000-memory.dmp

      Filesize

      256KB

    • memory/2872-33-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB

    • memory/2872-36-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB

    • memory/2872-40-0x000000006F340000-0x000000006F8EB000-memory.dmp

      Filesize

      5.7MB