darkcloud | a575d58e809a4cb5aeb5d3167b1b41dc368bcb5955fdbfe669d57c5dabdf7231

General

Target

Updated Invoice.exe
Size

1.1MB
MD5

b7bc4c4f8149505506175c9ead66d87d
SHA1

f0326e5707a601dc90742c7da3a246bc317c2f45
SHA256

b470dc1c20f29c65aa478ef119156d47c4b68e16c0a05f0ce8e215fe6deb360d
SHA512

522ea7e96f3fd2ea9e6c20cddb461d71cbd0cec6a15737b0ed2caf1031322551adf1d1b9d6ab0e19c76659895ebb4f33f747bc9b3670eb64ba453dbc74590df0
SSDEEP

24576:0P2+AZd5sn8hBVs4ePHlAUo9xXsTJhhr8ga1cepCfdj56khw9PpO9TfrzLW2JcM7:W2+MUcV5cHlAFa1/rx+089Pp4vW2Jck

Score

10^/10

darkcloud guloader discovery downloader spyware stealer

Malware Config

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
800	Updated Invoice.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
2	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vildttllinger.ini	Updated Invoice.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
6100	Updated Invoice.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
800	Updated Invoice.exe
6100	Updated Invoice.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Nonprofession\omdefinerer.bin	Updated Invoice.exe
File opened for modification	C:\Program Files (x86)\Common Files\repunctuated\Gruppetilhrsforholdene.ini	Updated Invoice.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\trstespiserne\feodum.lnk	Updated Invoice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updated Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updated Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2316	taskkill.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
800	Updated Invoice.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6100	Updated Invoice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6100	Updated Invoice.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 6100	800	Updated Invoice.exe	79
PID 800 wrote to memory of 6100	800	Updated Invoice.exe	79
PID 800 wrote to memory of 6100	800	Updated Invoice.exe	79
PID 800 wrote to memory of 6100	800	Updated Invoice.exe	79
PID 6100 wrote to memory of 2316	6100	Updated Invoice.exe	81
PID 6100 wrote to memory of 2316	6100	Updated Invoice.exe	81
PID 6100 wrote to memory of 2316	6100	Updated Invoice.exe	81

C:\Users\Admin\AppData\Local\Temp\Updated Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Updated Invoice.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\Updated Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Updated Invoice.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg95B9.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\LOAWFVFN-Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Windows\SysWOW64\vildttllinger.ini

Filesize
36B

MD5
dbb3cc6cadd24636b4360ed61f0edbd2

SHA1
b8fbdfe19241066a41cf6c5444ad5a47e4c20490

SHA256
c8f7aaf341963727e04401a1122952d42414b91408b1a32f404647a72a1366e3

SHA512
2e1c1ba836f9ca9b69e33073e88efd0ea58e0071f718542fbeead50167df191398e0a67c06d93fbdbafa2a67bfb587edf252c1928dbbd8e06f9df8a178239596

Download Submit
memory/800-351-0x00007FF9985C1000-0x00007FF9986EA000-memory.dmp

Filesize
1.2MB

Download
memory/800-352-0x00007FF9985C0000-0x00007FF9987C9000-memory.dmp

Filesize
2.0MB

Download
memory/6100-355-0x00007FF9985C0000-0x00007FF9987C9000-memory.dmp

Filesize
2.0MB

Download
memory/6100-406-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-364-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-365-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-366-0x0000000001720000-0x0000000005541000-memory.dmp

Filesize
62.1MB

Download
memory/6100-369-0x00007FF9985C0000-0x00007FF9987C9000-memory.dmp

Filesize
2.0MB

Download
memory/6100-385-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-353-0x0000000001720000-0x0000000005541000-memory.dmp

Filesize
62.1MB

Download
memory/6100-391-0x00007FF9985C0000-0x00007FF9987C9000-memory.dmp

Filesize
2.0MB

Download
memory/6100-404-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-405-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-354-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-407-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-408-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-409-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-410-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-411-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-412-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-413-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-414-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download
memory/6100-415-0x0000000000400000-0x0000000001717000-memory.dmp

Filesize
19.1MB

Download

Analysis

Sharing