Analysis
-
max time kernel
143s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
Details.exe
Resource
win7-20241010-en
General
-
Target
Details.exe
-
Size
870KB
-
MD5
e0ec839764ae56e62e9364e23041b3db
-
SHA1
ae987318340ef295de371a02e9602138dae8402c
-
SHA256
8ea6760f51cdc21cc0a0fb1ed6503eb018afd2074b2a0bde8a8b1b3cb07731e3
-
SHA512
1e53321b77d55dd7a8dbebbf1c7a09da7875bd90c95e19e14f43cebfc089d929a947746148a8d88e7e92431445c88802eb3350f46f1520c152a8e44b08f8df32
-
SSDEEP
24576:pg++eYJ0vd8uDrB+UocB1RfpePcsGOFh:C++eYKe8rHjDREPcsrF
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666
Signatures
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2004 powershell.exe 3068 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 2804 1740 Details.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Details.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Details.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3068 powershell.exe 2004 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 Details.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2804 Details.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2004 1740 Details.exe 30 PID 1740 wrote to memory of 2004 1740 Details.exe 30 PID 1740 wrote to memory of 2004 1740 Details.exe 30 PID 1740 wrote to memory of 2004 1740 Details.exe 30 PID 1740 wrote to memory of 3068 1740 Details.exe 32 PID 1740 wrote to memory of 3068 1740 Details.exe 32 PID 1740 wrote to memory of 3068 1740 Details.exe 32 PID 1740 wrote to memory of 3068 1740 Details.exe 32 PID 1740 wrote to memory of 2932 1740 Details.exe 33 PID 1740 wrote to memory of 2932 1740 Details.exe 33 PID 1740 wrote to memory of 2932 1740 Details.exe 33 PID 1740 wrote to memory of 2932 1740 Details.exe 33 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36 PID 1740 wrote to memory of 2804 1740 Details.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Details.exe"C:\Users\Admin\AppData\Local\Temp\Details.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Details.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VPmLZviJwp.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VPmLZviJwp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC99.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\Details.exe"C:\Users\Admin\AppData\Local\Temp\Details.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54b1f36f4225777d096076b92093df40a
SHA152bc2f8e3061b45639fed82d3fa48442e85eb341
SHA256f1e64792e35cc04af4ca591b88aefa75bd26004fdb52f0c3259f1caa75f96d49
SHA5128e7cdb8ebc632f71fcf1dba39e8f8937a750b83451c6a0e9d947cf449cdef4e5ad498c7c91003b4d8ed22a85f9b8b0d8ed80ddba6203e403f80e82ff0269ec96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56512b821c470465a3446832aff60a9b9
SHA1e8d318501e698c4f4dbf370a7fa8b0db4f26e0c2
SHA256f7ba6bc903a43e2aec732c840ba85b83392eb1156bcb577a28a8e765788cdbea
SHA51248689cb83af55136d396f986d042604b930cd0f88134a7420a99b6426af4d37ecf52921853d6cd3703ea28d641d703700bb2eb8ca5b110bbadbf0482d9501086