darkcloud | 5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:27

Target

5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe
Size

932KB
MD5

883cf4255f882fe37f4920efede0c744
SHA1

3bf30fb4585f86f79f97fe54fb94d1cee10bd9ef
SHA256

5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7
SHA512

49dc64a6e572f48b42cb83373521a7ec9f0e3f04c2d3262d8e5f3db63217705b4219df219392b223f643039546a011ed006cebeae1eef199f1a127e82f8d5588
SSDEEP

24576:+2SWGLZmVcYR7YJ+5JfGA97nkp8V5j47wnJg:+2RXVcYdYaf7tCEiEnJg

Score

10^/10

darkcloud stealer

Family

darkcloud

https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage?chat_id=5302361040

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe
2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2200	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2528	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	31
PID 2576 wrote to memory of 2528	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	31
PID 2576 wrote to memory of 2528	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	31
PID 2576 wrote to memory of 2528	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	31
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32
PID 2576 wrote to memory of 2200	2576	5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe	32

C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe
"C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe
  "C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe"
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe
  "C:\Users\Admin\AppData\Local\Temp\5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2200

memory/2200-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2200-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2200-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2200-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2200-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2200-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2576-3-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2576-6-0x0000000004D40000-0x0000000004DE8000-memory.dmp

Filesize
672KB

Download
memory/2576-5-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/2576-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2576-18-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2576-2-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-1-0x0000000000B20000-0x0000000000C0C000-memory.dmp

Filesize
944KB

Download