Analysis Overview
SHA256
0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562
Threat Level: Known bad
The file 0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Uses the VBS compiler for execution
Loads dropped DLL
Suspicious use of SetThreadContext
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 03:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 03:03
Reported
2025-03-08 03:06
Platform
win7-20240903-en
Max time kernel
147s
Max time network
120s
Command Line
Signatures
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2728 set thread context of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe
"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
Files
memory/2728-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp
memory/2728-1-0x0000000000B60000-0x0000000000C74000-memory.dmp
memory/2728-2-0x0000000073F40000-0x000000007462E000-memory.dmp
memory/2728-3-0x00000000009F0000-0x0000000000A08000-memory.dmp
memory/2728-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp
memory/2728-5-0x0000000073F40000-0x000000007462E000-memory.dmp
memory/2728-6-0x00000000050D0000-0x000000000518C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp
| MD5 | ef2db92ffccccf25738faa62593660ca |
| SHA1 | 2e3dd24727cea40561fb6953b1ab788ce54c31dd |
| SHA256 | ef0a5abfc9ccc5337a27ff4c7b956ea208c67ca4756aacf66ee1539cfd0e84e8 |
| SHA512 | 32e106c4125b27d2e842d05f76a54e8539ecc687174616fdd7b812ab435492517f09d07a94d25179b6bb42e6226cca72dc6b27eebc3b3262edf4d673be4e62a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YWONGKUF7TVBF90B037D.temp
| MD5 | 2c9f66a16cfecdd58a1a3c7a20d1e3f8 |
| SHA1 | dc50c40b075fc2afc1750f4a0fa886667fecd52e |
| SHA256 | 28c5115c68cc863a81f62a0a6ef5d6f408d1a335f1e205be7f4269350a6d78d0 |
| SHA512 | 2b658b156e319bfc1ca6e5ba58282d7ee1a65f7eae4aeafcfe8e0ca84312febf82e77d87813ff63d18d5fbdd7c9a09a355b7172c745c5f7b4d22a4bb255b7bcf |
memory/800-19-0x0000000000400000-0x0000000000471000-memory.dmp
memory/800-28-0x0000000000400000-0x0000000000471000-memory.dmp
memory/800-29-0x0000000000400000-0x0000000000471000-memory.dmp
memory/800-23-0x0000000000400000-0x0000000000471000-memory.dmp
memory/800-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/800-21-0x0000000000400000-0x0000000000471000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\XPAJOTIY-Admin\vbsqlite3.dll
| MD5 | 073a17b6cfb1112c6c838b2fba06a657 |
| SHA1 | a54bb22489eaa8c52eb3e512aee522320530b0be |
| SHA256 | dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab |
| SHA512 | 5bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e |
memory/800-38-0x000000006C400000-0x000000006C469000-memory.dmp
memory/2728-39-0x0000000073F40000-0x000000007462E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 03:03
Reported
2025-03-08 03:06
Platform
win10v2004-20250217-en
Max time kernel
95s
Max time network
140s
Command Line
Signatures
DarkCloud
Darkcloud family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5000 set thread context of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe
"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/5000-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp
memory/5000-1-0x0000000000A90000-0x0000000000BA4000-memory.dmp
memory/5000-2-0x00000000059A0000-0x0000000005F44000-memory.dmp
memory/5000-3-0x0000000005490000-0x0000000005522000-memory.dmp
memory/5000-4-0x0000000005530000-0x00000000055CC000-memory.dmp
memory/5000-5-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/5000-6-0x0000000005480000-0x000000000548A000-memory.dmp
memory/5000-7-0x0000000005940000-0x0000000005958000-memory.dmp
memory/5000-8-0x0000000074D7E000-0x0000000074D7F000-memory.dmp
memory/5000-9-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/5000-10-0x0000000006880000-0x000000000693C000-memory.dmp
memory/940-15-0x0000000002900000-0x0000000002936000-memory.dmp
memory/940-17-0x00000000054E0000-0x0000000005B08000-memory.dmp
memory/940-16-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/940-18-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/940-19-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/3252-21-0x0000000074D70000-0x0000000075520000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp
| MD5 | 703d97d13527f76dc42e5eb14b8e39c0 |
| SHA1 | cf9f85cb941a72806194c0c1b1f676eb567d8abd |
| SHA256 | 23ea2cf01ee9891cd0884b957cfe35876cd26eec6a267692e5ff3e2fd379a139 |
| SHA512 | 4b279ca54cc7c5a2f67f8675a0c5cfd7607ef92c09575d56c9774d42ea06141d5c4ef6cb24e6059bdaf8bd6fa79b375d22ae0e37612d69944616586597237054 |
memory/3252-22-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/1180-25-0x0000000000400000-0x0000000000471000-memory.dmp
memory/940-27-0x00000000053F0000-0x0000000005456000-memory.dmp
memory/3252-29-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/940-26-0x0000000005250000-0x0000000005272000-memory.dmp
memory/940-28-0x0000000005460000-0x00000000054C6000-memory.dmp
memory/1180-23-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1180-38-0x0000000000400000-0x0000000000471000-memory.dmp
memory/940-37-0x0000000005C10000-0x0000000005F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvj5iumo.ymv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5000-43-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/3252-62-0x0000000006470000-0x000000000648E000-memory.dmp
memory/3252-63-0x0000000006500000-0x000000000654C000-memory.dmp
memory/3252-65-0x0000000075600000-0x000000007564C000-memory.dmp
memory/940-77-0x0000000075600000-0x000000007564C000-memory.dmp
memory/3252-76-0x0000000007630000-0x00000000076D3000-memory.dmp
memory/3252-75-0x00000000073D0000-0x00000000073EE000-memory.dmp
memory/3252-64-0x00000000073F0000-0x0000000007422000-memory.dmp
memory/3252-87-0x0000000007DD0000-0x000000000844A000-memory.dmp
memory/3252-88-0x0000000007790000-0x00000000077AA000-memory.dmp
memory/3252-89-0x0000000007800000-0x000000000780A000-memory.dmp
memory/3252-90-0x0000000007A10000-0x0000000007AA6000-memory.dmp
memory/3252-91-0x0000000007990000-0x00000000079A1000-memory.dmp
memory/940-92-0x0000000007770000-0x000000000777E000-memory.dmp
memory/940-93-0x0000000007780000-0x0000000007794000-memory.dmp
memory/3252-94-0x0000000007AD0000-0x0000000007AEA000-memory.dmp
memory/940-95-0x0000000007860000-0x0000000007868000-memory.dmp
memory/940-98-0x0000000074D70000-0x0000000075520000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3252-102-0x0000000074D70000-0x0000000075520000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5807b55a31e9893f9c8da883a7c608e |
| SHA1 | 1121e037833fd80515a232f424677b186fbe4eef |
| SHA256 | c75ab72e3dbb9e3ae93c1f8151607554c195edc178165c8e96f0e674c6aba02b |
| SHA512 | 93d7685c85679793555aaabe2166de5e61b5ab38e2ef579325c7ee6876d86f41e2d01aeb64260643655d0ae1a9fad507ea78bac96cb0cd04bfcdc81d02700ded |
memory/1180-103-0x0000000000400000-0x0000000000471000-memory.dmp