Malware Analysis Report

2024-10-19 07:09

Sample ID 240207-rlpmsaheb6
Target 5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe
SHA256 5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f

Threat Level: Known bad

The file 5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Drops startup file

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-07 14:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 14:17

Reported

2024-02-07 14:19

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe"

Signatures

DarkCloud

stealer darkcloud

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2956 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2956 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2956 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe

"C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/2956-0-0x0000000001200000-0x00000000012B6000-memory.dmp

memory/2956-1-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2956-3-0x0000000000670000-0x0000000000712000-memory.dmp

memory/2956-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

memory/2436-6-0x0000000070040000-0x00000000705EB000-memory.dmp

memory/2436-7-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2436-8-0x0000000070040000-0x00000000705EB000-memory.dmp

memory/2436-10-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2956-9-0x0000000000440000-0x0000000000448000-memory.dmp

memory/2580-11-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2580-13-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2580-15-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2580-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2580-20-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2956-22-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2436-24-0x0000000070040000-0x00000000705EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 14:17

Reported

2024-02-07 14:19

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe"

Signatures

DarkCloud

stealer darkcloud

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4152 set thread context of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 4152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 4152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4152 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe

"C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\5ecbfb33b1adf9c70b5f79f15f78b4672bb458c1bde52985e4dd7ba6c046465f.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4152-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/4152-0-0x0000000000880000-0x0000000000936000-memory.dmp

memory/4152-2-0x0000000005410000-0x0000000005420000-memory.dmp

memory/4152-3-0x00000000052B0000-0x0000000005352000-memory.dmp

memory/4152-4-0x00000000059D0000-0x0000000005F74000-memory.dmp

memory/4152-5-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4152-6-0x0000000005560000-0x00000000055FC000-memory.dmp

memory/1960-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/1960-7-0x0000000004C90000-0x0000000004CC6000-memory.dmp

memory/1960-9-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1960-10-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1960-11-0x00000000053E0000-0x0000000005A08000-memory.dmp

memory/1960-12-0x0000000005280000-0x00000000052A2000-memory.dmp

memory/1960-13-0x0000000005320000-0x0000000005386000-memory.dmp

memory/1960-14-0x0000000005A80000-0x0000000005AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xv5ota3g.3cb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1960-24-0x0000000005DE0000-0x0000000006134000-memory.dmp

memory/1960-25-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/4152-26-0x0000000005400000-0x0000000005408000-memory.dmp

memory/1960-29-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/4844-28-0x0000000000800000-0x000000000086E000-memory.dmp

memory/4152-30-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/1960-33-0x0000000006740000-0x000000000675A000-memory.dmp

memory/1960-34-0x0000000006790000-0x00000000067B2000-memory.dmp

memory/1960-32-0x00000000067D0000-0x0000000006866000-memory.dmp

memory/1960-38-0x0000000074640000-0x0000000074DF0000-memory.dmp