Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
MAR10.2025Order.pdf.exe
Resource
win7-20240903-en
General
-
Target
MAR10.2025Order.pdf.exe
-
Size
774KB
-
MD5
c8da5cab3dd5285bcf8fbc5f77b1415a
-
SHA1
9132caf4f0c3030f044839c722c55da44b892ffc
-
SHA256
80742a25d1550dd0f7ccb299672a5d9de889f57c0e53e3e8eea0e50d6b7ae33b
-
SHA512
292dc2ed09534add4f7c7057549c05007bf374a89dde107001adc3b943a4d7d3e3b5c90f8f09c46b311905c6a08120ed6b400df1cc56fcc4060ca860a733a7e0
-
SSDEEP
24576:kRFBUYxQiLg5N2Gzjne3qYHKKdskZtBCbEs:kRFjxQiLScGvnEqWs8zCn
Malware Config
Extracted
darkcloud
Protocol: ftp- Host:
ftp.kashmirestore.com - Port:
21 - Username:
[email protected] - Password:
c%P+6,(]YFvP
Signatures
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1912 powershell.exe 2892 powershell.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000016d5e-35.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2852 MAR10.2025Order.pdf.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2520 set thread context of 2852 2520 MAR10.2025Order.pdf.exe 37 -
resource yara_rule behavioral1/memory/2852-38-0x000000006C540000-0x000000006C5A9000-memory.dmp upx behavioral1/files/0x0007000000016d5e-35.dat upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAR10.2025Order.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAR10.2025Order.pdf.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2520 MAR10.2025Order.pdf.exe 2520 MAR10.2025Order.pdf.exe 2520 MAR10.2025Order.pdf.exe 2892 powershell.exe 1912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2520 MAR10.2025Order.pdf.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2852 MAR10.2025Order.pdf.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1912 2520 MAR10.2025Order.pdf.exe 31 PID 2520 wrote to memory of 1912 2520 MAR10.2025Order.pdf.exe 31 PID 2520 wrote to memory of 1912 2520 MAR10.2025Order.pdf.exe 31 PID 2520 wrote to memory of 1912 2520 MAR10.2025Order.pdf.exe 31 PID 2520 wrote to memory of 2892 2520 MAR10.2025Order.pdf.exe 33 PID 2520 wrote to memory of 2892 2520 MAR10.2025Order.pdf.exe 33 PID 2520 wrote to memory of 2892 2520 MAR10.2025Order.pdf.exe 33 PID 2520 wrote to memory of 2892 2520 MAR10.2025Order.pdf.exe 33 PID 2520 wrote to memory of 2904 2520 MAR10.2025Order.pdf.exe 34 PID 2520 wrote to memory of 2904 2520 MAR10.2025Order.pdf.exe 34 PID 2520 wrote to memory of 2904 2520 MAR10.2025Order.pdf.exe 34 PID 2520 wrote to memory of 2904 2520 MAR10.2025Order.pdf.exe 34 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37 PID 2520 wrote to memory of 2852 2520 MAR10.2025Order.pdf.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sricWCFHDbf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sricWCFHDbf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c89b829a611f76f7b7c0f1a06f845400
SHA172c0db5f8bef6bdf7ff228c90c8eafd3c032f691
SHA256a3daca2007ce9a4a9b68e22ec96b454b1ae9367669578ea415eb34dbd5fcf707
SHA512d1d4140a4867ed4a5e9ab585d743826417bf1ecaa2860f52bb634b5230a786db89ade0e190da35f144d471253d40306f2c2bb751936c65bf2f5dcda832ef6574
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD536b42ab18f3f5921b1e4e1214d3f5765
SHA161c681dab1b0c3e215a87c5a37f8b798888f0aa3
SHA25607c1e7d7a754c2c328135ef1e58b26e06bcc90f50f0430d4e05c67b26e30e671
SHA512e2dc4ca540e712efe2cb89ea8082425fd74335601284267ab99f09445544aad0f5dbde357f820be65d9cd988fd0d09293f82bd44ac344d80f816b22742b5c18e
-
Filesize
161KB
MD5073a17b6cfb1112c6c838b2fba06a657
SHA1a54bb22489eaa8c52eb3e512aee522320530b0be
SHA256dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab
SHA5125bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e