Analysis Overview
SHA256
0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562
Threat Level: Known bad
The file 0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Suspicious use of SetThreadContext
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 02:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 02:58
Reported
2025-03-08 03:01
Platform
win10v2004-20250217-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3696 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe
"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC786.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3696-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/3696-1-0x0000000000CF0000-0x0000000000E04000-memory.dmp
memory/3696-2-0x0000000005D90000-0x0000000006334000-memory.dmp
memory/3696-3-0x0000000005880000-0x0000000005912000-memory.dmp
memory/3696-4-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/3696-5-0x0000000005810000-0x000000000581A000-memory.dmp
memory/3696-6-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3696-7-0x0000000005AD0000-0x0000000005AE8000-memory.dmp
memory/3696-8-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/3696-9-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3696-10-0x0000000006B40000-0x0000000006BFC000-memory.dmp
memory/692-15-0x00000000048C0000-0x00000000048F6000-memory.dmp
memory/692-16-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/692-17-0x00000000050A0000-0x00000000056C8000-memory.dmp
memory/692-18-0x00000000749C0000-0x0000000075170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC786.tmp
| MD5 | c4277bc6af354eb5cd5752d5a5aab232 |
| SHA1 | ba902aa94c6993574a11808ceafb8812a97e1084 |
| SHA256 | 84e2d998d6f20fa777ab059e4fcf71be8360bf7c2cf0c8e0724c7cccc60df342 |
| SHA512 | 7a0f2b0e6a1deb55857d4c5c423ff0ebac7e11b0b4cacf2e874e863b5165452fe9de6691509ed8d39c865e0f4f03bb47891f795fcfd994486d0995533524959e |
memory/692-20-0x0000000004ED0000-0x0000000004EF2000-memory.dmp
memory/3068-23-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/692-22-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/692-21-0x0000000004FF0000-0x0000000005056000-memory.dmp
memory/692-25-0x00000000058B0000-0x0000000005C04000-memory.dmp
memory/3068-24-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/692-26-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2936-28-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nribgnye.3g5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3068-41-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2936-27-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3696-59-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/692-60-0x0000000005E70000-0x0000000005E8E000-memory.dmp
memory/692-61-0x0000000005F00000-0x0000000005F4C000-memory.dmp
memory/3068-63-0x0000000075270000-0x00000000752BC000-memory.dmp
memory/3068-62-0x0000000007580000-0x00000000075B2000-memory.dmp
memory/3068-74-0x00000000075C0000-0x0000000007663000-memory.dmp
memory/692-75-0x0000000075270000-0x00000000752BC000-memory.dmp
memory/3068-73-0x0000000007540000-0x000000000755E000-memory.dmp
memory/692-85-0x0000000007800000-0x0000000007E7A000-memory.dmp
memory/3068-86-0x00000000078F0000-0x000000000790A000-memory.dmp
memory/692-87-0x0000000007220000-0x000000000722A000-memory.dmp
memory/3068-88-0x0000000007B70000-0x0000000007C06000-memory.dmp
memory/3068-89-0x0000000007AF0000-0x0000000007B01000-memory.dmp
memory/692-90-0x00000000073E0000-0x00000000073EE000-memory.dmp
memory/692-91-0x00000000073F0000-0x0000000007404000-memory.dmp
memory/692-92-0x00000000074F0000-0x000000000750A000-memory.dmp
memory/692-93-0x00000000074D0000-0x00000000074D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b65c244b432ab544445d0668d541448 |
| SHA1 | d1c9c58c068f97d9e8579d92836ffe4440af6a7b |
| SHA256 | f82d9366afcc7c7694a92cef8d5f55d2b3ed93a7cd6a7d46bececd1db186e195 |
| SHA512 | 6990b41e36a85db1b555c6e450a943d191587e4c7aaeed3ede930d314a1e0cb524718477f680b449c8441b5d58a7e30736d0e2c3df4ebd246253beffd60813da |
memory/3068-99-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/692-100-0x00000000749C0000-0x0000000075170000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 02:58
Reported
2025-03-08 03:01
Platform
win7-20240903-en
Max time kernel
146s
Max time network
117s
Command Line
Signatures
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2676 set thread context of 2216 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe
"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD73C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
Files
memory/2676-0-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2676-1-0x0000000001210000-0x0000000001324000-memory.dmp
memory/2676-2-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2676-3-0x0000000000650000-0x0000000000668000-memory.dmp
memory/2676-4-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2676-5-0x0000000004F90000-0x000000000504C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 75e5e8bdd708f1bf74b668048d34a18e |
| SHA1 | 5737cdb87db7bd09a009ee964ca624ffcc749c7c |
| SHA256 | 89002baf87f257858b0ebc511fbc86542c680a4d9a12a294905444d72df0589e |
| SHA512 | 8978601947e2954768a580ecf38a0029fe362df1e65fe27a86b4ba3de872b3f6479d7694f726bd7fc161fadb4e3baa4c88adaa042aa2239cbb5cf2e9811c525c |
C:\Users\Admin\AppData\Local\Temp\tmpD73C.tmp
| MD5 | d4793250fbfb3579019e2cd4312d7c9e |
| SHA1 | a5cb4c074f41814ad9d4e9c4c9ca297622aff90c |
| SHA256 | d362f7f0a5cfb6d7e783439fed1e97270432b7afc9d8ff4ed47313b747a9a517 |
| SHA512 | 2d0bf3961efa484b3acb94b78f55fa98bd73f3819bf85854ee6961ca92bc092c4cd271d9b28c17a94ff24f80ed4bfc23fdcc27353a0ec8f1607fec1948f62288 |
memory/2216-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2216-27-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2216-28-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2216-23-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2216-20-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2216-19-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2676-31-0x0000000074080000-0x000000007476E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZQABOPWE-Admin\vbsqlite3.dll
| MD5 | 073a17b6cfb1112c6c838b2fba06a657 |
| SHA1 | a54bb22489eaa8c52eb3e512aee522320530b0be |
| SHA256 | dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab |
| SHA512 | 5bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e |
memory/2216-37-0x0000000074700000-0x0000000074769000-memory.dmp
memory/2216-40-0x0000000074700000-0x0000000074769000-memory.dmp