Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 05:16

General

  • Target

    MAR10.2025Order.pdf.exe

  • Size

    774KB

  • MD5

    c8da5cab3dd5285bcf8fbc5f77b1415a

  • SHA1

    9132caf4f0c3030f044839c722c55da44b892ffc

  • SHA256

    80742a25d1550dd0f7ccb299672a5d9de889f57c0e53e3e8eea0e50d6b7ae33b

  • SHA512

    292dc2ed09534add4f7c7057549c05007bf374a89dde107001adc3b943a4d7d3e3b5c90f8f09c46b311905c6a08120ed6b400df1cc56fcc4060ca860a733a7e0

  • SSDEEP

    24576:kRFBUYxQiLg5N2Gzjne3qYHKKdskZtBCbEs:kRFjxQiLScGvnEqWs8zCn

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.kashmirestore.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    c%P+6,(]YFvP

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Darkcloud family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sricWCFHDbf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sricWCFHDbf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\MAR10.2025Order.pdf.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp

    Filesize

    1KB

    MD5

    c89b829a611f76f7b7c0f1a06f845400

    SHA1

    72c0db5f8bef6bdf7ff228c90c8eafd3c032f691

    SHA256

    a3daca2007ce9a4a9b68e22ec96b454b1ae9367669578ea415eb34dbd5fcf707

    SHA512

    d1d4140a4867ed4a5e9ab585d743826417bf1ecaa2860f52bb634b5230a786db89ade0e190da35f144d471253d40306f2c2bb751936c65bf2f5dcda832ef6574

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    36b42ab18f3f5921b1e4e1214d3f5765

    SHA1

    61c681dab1b0c3e215a87c5a37f8b798888f0aa3

    SHA256

    07c1e7d7a754c2c328135ef1e58b26e06bcc90f50f0430d4e05c67b26e30e671

    SHA512

    e2dc4ca540e712efe2cb89ea8082425fd74335601284267ab99f09445544aad0f5dbde357f820be65d9cd988fd0d09293f82bd44ac344d80f816b22742b5c18e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CCJBVTGQ-Admin\vbsqlite3.dll

    Filesize

    161KB

    MD5

    073a17b6cfb1112c6c838b2fba06a657

    SHA1

    a54bb22489eaa8c52eb3e512aee522320530b0be

    SHA256

    dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab

    SHA512

    5bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e

  • memory/2520-4-0x00000000740BE000-0x00000000740BF000-memory.dmp

    Filesize

    4KB

  • memory/2520-1-0x0000000000180000-0x0000000000246000-memory.dmp

    Filesize

    792KB

  • memory/2520-5-0x00000000740B0000-0x000000007479E000-memory.dmp

    Filesize

    6.9MB

  • memory/2520-6-0x0000000004880000-0x0000000004926000-memory.dmp

    Filesize

    664KB

  • memory/2520-3-0x00000000005B0000-0x00000000005C0000-memory.dmp

    Filesize

    64KB

  • memory/2520-2-0x00000000740B0000-0x000000007479E000-memory.dmp

    Filesize

    6.9MB

  • memory/2520-39-0x00000000740B0000-0x000000007479E000-memory.dmp

    Filesize

    6.9MB

  • memory/2520-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

    Filesize

    4KB

  • memory/2852-23-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2852-38-0x000000006C540000-0x000000006C5A9000-memory.dmp

    Filesize

    420KB

  • memory/2852-21-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2852-29-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2852-28-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2852-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2852-19-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB