Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe
Resource
win10v20201028
General
-
Target
bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe
-
Size
1.5MB
-
MD5
e62a12e02d56fac5aa469ddb8973fa19
-
SHA1
190a33491b72b52f97d424a8a5e4c2193f5d71db
-
SHA256
bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943
-
SHA512
c89e53557e283ede3927988a1a045781fc908219f8ef46b45d11f954199b87ff2eb7d4a362d1568bf23af03b914158fa47a92208c49dca70c7d14e2854c07b12
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 1 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule behavioral2/memory/1628-3-0x0000000000400000-0x0000000002652000-memory.dmp diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3980-16-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/memory/3980-17-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/3980-19-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3980-16-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/3980-17-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/3980-19-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 776 MicrosoftEdgeCPS.exe 3980 MicrosoftEdgeCPS.exe 1224 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 776 set thread context of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 set thread context of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 776 MicrosoftEdgeCPS.exe 776 MicrosoftEdgeCPS.exe 3980 MicrosoftEdgeCPS.exe 3980 MicrosoftEdgeCPS.exe 3980 MicrosoftEdgeCPS.exe 3980 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 208 wmic.exe Token: SeSecurityPrivilege 208 wmic.exe Token: SeTakeOwnershipPrivilege 208 wmic.exe Token: SeLoadDriverPrivilege 208 wmic.exe Token: SeSystemProfilePrivilege 208 wmic.exe Token: SeSystemtimePrivilege 208 wmic.exe Token: SeProfSingleProcessPrivilege 208 wmic.exe Token: SeIncBasePriorityPrivilege 208 wmic.exe Token: SeCreatePagefilePrivilege 208 wmic.exe Token: SeBackupPrivilege 208 wmic.exe Token: SeRestorePrivilege 208 wmic.exe Token: SeShutdownPrivilege 208 wmic.exe Token: SeDebugPrivilege 208 wmic.exe Token: SeSystemEnvironmentPrivilege 208 wmic.exe Token: SeRemoteShutdownPrivilege 208 wmic.exe Token: SeUndockPrivilege 208 wmic.exe Token: SeManageVolumePrivilege 208 wmic.exe Token: 33 208 wmic.exe Token: 34 208 wmic.exe Token: 35 208 wmic.exe Token: 36 208 wmic.exe Token: SeIncreaseQuotaPrivilege 208 wmic.exe Token: SeSecurityPrivilege 208 wmic.exe Token: SeTakeOwnershipPrivilege 208 wmic.exe Token: SeLoadDriverPrivilege 208 wmic.exe Token: SeSystemProfilePrivilege 208 wmic.exe Token: SeSystemtimePrivilege 208 wmic.exe Token: SeProfSingleProcessPrivilege 208 wmic.exe Token: SeIncBasePriorityPrivilege 208 wmic.exe Token: SeCreatePagefilePrivilege 208 wmic.exe Token: SeBackupPrivilege 208 wmic.exe Token: SeRestorePrivilege 208 wmic.exe Token: SeShutdownPrivilege 208 wmic.exe Token: SeDebugPrivilege 208 wmic.exe Token: SeSystemEnvironmentPrivilege 208 wmic.exe Token: SeRemoteShutdownPrivilege 208 wmic.exe Token: SeUndockPrivilege 208 wmic.exe Token: SeManageVolumePrivilege 208 wmic.exe Token: 33 208 wmic.exe Token: 34 208 wmic.exe Token: 35 208 wmic.exe Token: 36 208 wmic.exe Token: SeIncreaseQuotaPrivilege 1332 wmic.exe Token: SeSecurityPrivilege 1332 wmic.exe Token: SeTakeOwnershipPrivilege 1332 wmic.exe Token: SeLoadDriverPrivilege 1332 wmic.exe Token: SeSystemProfilePrivilege 1332 wmic.exe Token: SeSystemtimePrivilege 1332 wmic.exe Token: SeProfSingleProcessPrivilege 1332 wmic.exe Token: SeIncBasePriorityPrivilege 1332 wmic.exe Token: SeCreatePagefilePrivilege 1332 wmic.exe Token: SeBackupPrivilege 1332 wmic.exe Token: SeRestorePrivilege 1332 wmic.exe Token: SeShutdownPrivilege 1332 wmic.exe Token: SeDebugPrivilege 1332 wmic.exe Token: SeSystemEnvironmentPrivilege 1332 wmic.exe Token: SeRemoteShutdownPrivilege 1332 wmic.exe Token: SeUndockPrivilege 1332 wmic.exe Token: SeManageVolumePrivilege 1332 wmic.exe Token: 33 1332 wmic.exe Token: 34 1332 wmic.exe Token: 35 1332 wmic.exe Token: 36 1332 wmic.exe Token: SeIncreaseQuotaPrivilege 1332 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 1224 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exeMicrosoftEdgeCPS.exedescription pid process target process PID 1628 wrote to memory of 776 1628 bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe MicrosoftEdgeCPS.exe PID 1628 wrote to memory of 776 1628 bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe MicrosoftEdgeCPS.exe PID 1628 wrote to memory of 776 1628 bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 208 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 208 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 208 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 1332 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 1332 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 1332 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2100 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2100 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2100 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2628 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2628 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2628 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 780 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 780 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 780 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2080 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2080 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 2080 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 4052 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 4052 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 4052 776 MicrosoftEdgeCPS.exe wmic.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 3980 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 1224 776 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe"C:\Users\Admin\AppData\Local\Temp\bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='outarcubleauded.xyz' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='outarcubleauded.xyz' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdgeCP\1.logMD5
c899085ae52e1212260bd31f38dd7cad
SHA1482ebdfa75ac934e022670beea5258f08863abcb
SHA25620c8330e6a19bd31b379f102f9ede1fd315fc763dd1d805b310ade04860d69cf
SHA5123139ffb0e6c9ac312dd38aed58953b5249c8374529972553353e40bef982376b71f7a3551abd860f17443708d032c03feb2795860510a33df3abd35aebda155e
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
e62a12e02d56fac5aa469ddb8973fa19
SHA1190a33491b72b52f97d424a8a5e4c2193f5d71db
SHA256bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943
SHA512c89e53557e283ede3927988a1a045781fc908219f8ef46b45d11f954199b87ff2eb7d4a362d1568bf23af03b914158fa47a92208c49dca70c7d14e2854c07b12
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
e62a12e02d56fac5aa469ddb8973fa19
SHA1190a33491b72b52f97d424a8a5e4c2193f5d71db
SHA256bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943
SHA512c89e53557e283ede3927988a1a045781fc908219f8ef46b45d11f954199b87ff2eb7d4a362d1568bf23af03b914158fa47a92208c49dca70c7d14e2854c07b12
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
e62a12e02d56fac5aa469ddb8973fa19
SHA1190a33491b72b52f97d424a8a5e4c2193f5d71db
SHA256bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943
SHA512c89e53557e283ede3927988a1a045781fc908219f8ef46b45d11f954199b87ff2eb7d4a362d1568bf23af03b914158fa47a92208c49dca70c7d14e2854c07b12
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
e62a12e02d56fac5aa469ddb8973fa19
SHA1190a33491b72b52f97d424a8a5e4c2193f5d71db
SHA256bd9f3b1b869611da4ad27ade26a7e19c0c3bc7e0aae3d21f8704ab58c59c4943
SHA512c89e53557e283ede3927988a1a045781fc908219f8ef46b45d11f954199b87ff2eb7d4a362d1568bf23af03b914158fa47a92208c49dca70c7d14e2854c07b12
-
memory/208-9-0x0000000000000000-mapping.dmp
-
memory/776-7-0x0000000004410000-0x0000000006662000-memory.dmpFilesize
34.3MB
-
memory/776-4-0x0000000000000000-mapping.dmp
-
memory/780-13-0x0000000000000000-mapping.dmp
-
memory/1224-21-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1224-26-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1224-22-0x0000000000401074-mapping.dmp
-
memory/1332-10-0x0000000000000000-mapping.dmp
-
memory/1628-3-0x0000000000400000-0x0000000002652000-memory.dmpFilesize
34.3MB
-
memory/1628-2-0x00000000045C0000-0x0000000006812000-memory.dmpFilesize
34.3MB
-
memory/2080-14-0x0000000000000000-mapping.dmp
-
memory/2100-11-0x0000000000000000-mapping.dmp
-
memory/2628-12-0x0000000000000000-mapping.dmp
-
memory/3980-16-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/3980-19-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/3980-17-0x00000000004466F4-mapping.dmp
-
memory/4052-15-0x0000000000000000-mapping.dmp