Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 11:24
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe
Resource
win7-20250207-en
9 signatures
150 seconds
General
-
Target
5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe
-
Size
1.2MB
-
MD5
a77f98389fc9db96f0e05c51a4810877
-
SHA1
a0203ecaea3cef231365f09eda26bcb3514fe8eb
-
SHA256
5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6
-
SHA512
abc7c6bed24ac29bded04d3932d8f8f62c41b0554a061bbe0a4794f4376677be85ab43b2d19791f61ec10d66b5618e6c786c548204225280d5adf52568d063aa
-
SSDEEP
24576:iu6J33O0c+JY5UZ+XC0kGso6FaNggG4L/vAfDWY:Eu0c++OCvkGs9FaNggJ/vdY
Malware Config
Extracted
Family
darkcloud
Credentials
Protocol: ftp- Host:
@StrFtpServer - Port:
21 - Username:
@StrFtpUser - Password:
@StrFtpPass
Signatures
-
Darkcloud family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2188 set thread context of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1996 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30 PID 2188 wrote to memory of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30 PID 2188 wrote to memory of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30 PID 2188 wrote to memory of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30 PID 2188 wrote to memory of 1996 2188 5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe"C:\Users\Admin\AppData\Local\Temp\5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\5ec655a308e7c2dce76053b973c4777e261ce215a17e199870b5662250b6bde6.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-