Analysis

  • max time kernel
    143s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 11:40

General

  • Target

    Details.exe

  • Size

    870KB

  • MD5

    e0ec839764ae56e62e9364e23041b3db

  • SHA1

    ae987318340ef295de371a02e9602138dae8402c

  • SHA256

    8ea6760f51cdc21cc0a0fb1ed6503eb018afd2074b2a0bde8a8b1b3cb07731e3

  • SHA512

    1e53321b77d55dd7a8dbebbf1c7a09da7875bd90c95e19e14f43cebfc089d929a947746148a8d88e7e92431445c88802eb3350f46f1520c152a8e44b08f8df32

  • SSDEEP

    24576:pg++eYJ0vd8uDrB+UocB1RfpePcsGOFh:C++eYKe8rHjDREPcsrF

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Darkcloud family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Details.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Details.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VPmLZviJwp.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VPmLZviJwp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC99.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\Details.exe
      "C:\Users\Admin\AppData\Local\Temp\Details.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDC99.tmp

    Filesize

    1KB

    MD5

    4b1f36f4225777d096076b92093df40a

    SHA1

    52bc2f8e3061b45639fed82d3fa48442e85eb341

    SHA256

    f1e64792e35cc04af4ca591b88aefa75bd26004fdb52f0c3259f1caa75f96d49

    SHA512

    8e7cdb8ebc632f71fcf1dba39e8f8937a750b83451c6a0e9d947cf449cdef4e5ad498c7c91003b4d8ed22a85f9b8b0d8ed80ddba6203e403f80e82ff0269ec96

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    6512b821c470465a3446832aff60a9b9

    SHA1

    e8d318501e698c4f4dbf370a7fa8b0db4f26e0c2

    SHA256

    f7ba6bc903a43e2aec732c840ba85b83392eb1156bcb577a28a8e765788cdbea

    SHA512

    48689cb83af55136d396f986d042604b930cd0f88134a7420a99b6426af4d37ecf52921853d6cd3703ea28d641d703700bb2eb8ca5b110bbadbf0482d9501086

  • memory/1740-4-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

    Filesize

    4KB

  • memory/1740-32-0x0000000074DC0000-0x00000000754AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1740-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

    Filesize

    4KB

  • memory/1740-5-0x0000000074DC0000-0x00000000754AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1740-6-0x0000000004C80000-0x0000000004D3C000-memory.dmp

    Filesize

    752KB

  • memory/1740-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1740-1-0x0000000000B80000-0x0000000000C60000-memory.dmp

    Filesize

    896KB

  • memory/1740-3-0x00000000002B0000-0x00000000002C0000-memory.dmp

    Filesize

    64KB

  • memory/2804-19-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2804-28-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2804-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2804-29-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2804-21-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2804-23-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB