Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe
Resource
win10v20201028
General
-
Target
51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe
-
Size
300KB
-
MD5
1956f436a6ec9ec3696d8373d36a1228
-
SHA1
13fde0365047802c39c0d5a29f43075d18823acd
-
SHA256
51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344
-
SHA512
c064d4d66757446e023fbfceb20f63c51398c41922fb85e64329b0c7f7fab2c4703a852e77dbf6903edb52f3b460f915e7c888037ebad68e80e1187347406120
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 4 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2992-12-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/memory/2992-13-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/2992-15-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2992-12-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/2992-13-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/2992-15-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 3948 MicrosoftEdgeCPS.exe 2992 MicrosoftEdgeCPS.exe 1760 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 3948 set thread context of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 set thread context of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 3948 MicrosoftEdgeCPS.exe 3948 MicrosoftEdgeCPS.exe 2992 MicrosoftEdgeCPS.exe 2992 MicrosoftEdgeCPS.exe 2992 MicrosoftEdgeCPS.exe 2992 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1276 wmic.exe Token: SeSecurityPrivilege 1276 wmic.exe Token: SeTakeOwnershipPrivilege 1276 wmic.exe Token: SeLoadDriverPrivilege 1276 wmic.exe Token: SeSystemProfilePrivilege 1276 wmic.exe Token: SeSystemtimePrivilege 1276 wmic.exe Token: SeProfSingleProcessPrivilege 1276 wmic.exe Token: SeIncBasePriorityPrivilege 1276 wmic.exe Token: SeCreatePagefilePrivilege 1276 wmic.exe Token: SeBackupPrivilege 1276 wmic.exe Token: SeRestorePrivilege 1276 wmic.exe Token: SeShutdownPrivilege 1276 wmic.exe Token: SeDebugPrivilege 1276 wmic.exe Token: SeSystemEnvironmentPrivilege 1276 wmic.exe Token: SeRemoteShutdownPrivilege 1276 wmic.exe Token: SeUndockPrivilege 1276 wmic.exe Token: SeManageVolumePrivilege 1276 wmic.exe Token: 33 1276 wmic.exe Token: 34 1276 wmic.exe Token: 35 1276 wmic.exe Token: 36 1276 wmic.exe Token: SeIncreaseQuotaPrivilege 1276 wmic.exe Token: SeSecurityPrivilege 1276 wmic.exe Token: SeTakeOwnershipPrivilege 1276 wmic.exe Token: SeLoadDriverPrivilege 1276 wmic.exe Token: SeSystemProfilePrivilege 1276 wmic.exe Token: SeSystemtimePrivilege 1276 wmic.exe Token: SeProfSingleProcessPrivilege 1276 wmic.exe Token: SeIncBasePriorityPrivilege 1276 wmic.exe Token: SeCreatePagefilePrivilege 1276 wmic.exe Token: SeBackupPrivilege 1276 wmic.exe Token: SeRestorePrivilege 1276 wmic.exe Token: SeShutdownPrivilege 1276 wmic.exe Token: SeDebugPrivilege 1276 wmic.exe Token: SeSystemEnvironmentPrivilege 1276 wmic.exe Token: SeRemoteShutdownPrivilege 1276 wmic.exe Token: SeUndockPrivilege 1276 wmic.exe Token: SeManageVolumePrivilege 1276 wmic.exe Token: 33 1276 wmic.exe Token: 34 1276 wmic.exe Token: 35 1276 wmic.exe Token: 36 1276 wmic.exe Token: SeIncreaseQuotaPrivilege 3176 wmic.exe Token: SeSecurityPrivilege 3176 wmic.exe Token: SeTakeOwnershipPrivilege 3176 wmic.exe Token: SeLoadDriverPrivilege 3176 wmic.exe Token: SeSystemProfilePrivilege 3176 wmic.exe Token: SeSystemtimePrivilege 3176 wmic.exe Token: SeProfSingleProcessPrivilege 3176 wmic.exe Token: SeIncBasePriorityPrivilege 3176 wmic.exe Token: SeCreatePagefilePrivilege 3176 wmic.exe Token: SeBackupPrivilege 3176 wmic.exe Token: SeRestorePrivilege 3176 wmic.exe Token: SeShutdownPrivilege 3176 wmic.exe Token: SeDebugPrivilege 3176 wmic.exe Token: SeSystemEnvironmentPrivilege 3176 wmic.exe Token: SeRemoteShutdownPrivilege 3176 wmic.exe Token: SeUndockPrivilege 3176 wmic.exe Token: SeManageVolumePrivilege 3176 wmic.exe Token: 33 3176 wmic.exe Token: 34 3176 wmic.exe Token: 35 3176 wmic.exe Token: 36 3176 wmic.exe Token: SeIncreaseQuotaPrivilege 3176 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 1760 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exeMicrosoftEdgeCPS.exedescription pid process target process PID 576 wrote to memory of 3948 576 51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe MicrosoftEdgeCPS.exe PID 576 wrote to memory of 3948 576 51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe MicrosoftEdgeCPS.exe PID 576 wrote to memory of 3948 576 51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1276 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 1276 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 1276 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3176 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3176 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3176 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 2872 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 2872 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 2872 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3820 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3820 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3820 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3960 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3960 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3960 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3676 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3676 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3676 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3896 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3896 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 3896 3948 MicrosoftEdgeCPS.exe wmic.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 2992 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3948 wrote to memory of 1760 3948 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe"C:\Users\Admin\AppData\Local\Temp\51c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='outarcubleauded.xyz' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='outarcubleauded.xyz' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdgeCP\1.logMD5
c899085ae52e1212260bd31f38dd7cad
SHA1482ebdfa75ac934e022670beea5258f08863abcb
SHA25620c8330e6a19bd31b379f102f9ede1fd315fc763dd1d805b310ade04860d69cf
SHA5123139ffb0e6c9ac312dd38aed58953b5249c8374529972553353e40bef982376b71f7a3551abd860f17443708d032c03feb2795860510a33df3abd35aebda155e
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
1956f436a6ec9ec3696d8373d36a1228
SHA113fde0365047802c39c0d5a29f43075d18823acd
SHA25651c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344
SHA512c064d4d66757446e023fbfceb20f63c51398c41922fb85e64329b0c7f7fab2c4703a852e77dbf6903edb52f3b460f915e7c888037ebad68e80e1187347406120
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
1956f436a6ec9ec3696d8373d36a1228
SHA113fde0365047802c39c0d5a29f43075d18823acd
SHA25651c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344
SHA512c064d4d66757446e023fbfceb20f63c51398c41922fb85e64329b0c7f7fab2c4703a852e77dbf6903edb52f3b460f915e7c888037ebad68e80e1187347406120
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
1956f436a6ec9ec3696d8373d36a1228
SHA113fde0365047802c39c0d5a29f43075d18823acd
SHA25651c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344
SHA512c064d4d66757446e023fbfceb20f63c51398c41922fb85e64329b0c7f7fab2c4703a852e77dbf6903edb52f3b460f915e7c888037ebad68e80e1187347406120
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
1956f436a6ec9ec3696d8373d36a1228
SHA113fde0365047802c39c0d5a29f43075d18823acd
SHA25651c2ff5ec011508a2071d7a4272d4391080143fedc2166474d51913753eb8344
SHA512c064d4d66757446e023fbfceb20f63c51398c41922fb85e64329b0c7f7fab2c4703a852e77dbf6903edb52f3b460f915e7c888037ebad68e80e1187347406120
-
memory/1276-5-0x0000000000000000-mapping.dmp
-
memory/1760-22-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1760-18-0x0000000000401074-mapping.dmp
-
memory/1760-17-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2872-7-0x0000000000000000-mapping.dmp
-
memory/2992-15-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2992-12-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2992-13-0x00000000004466F4-mapping.dmp
-
memory/3176-6-0x0000000000000000-mapping.dmp
-
memory/3676-10-0x0000000000000000-mapping.dmp
-
memory/3820-8-0x0000000000000000-mapping.dmp
-
memory/3896-11-0x0000000000000000-mapping.dmp
-
memory/3948-2-0x0000000000000000-mapping.dmp
-
memory/3960-9-0x0000000000000000-mapping.dmp