Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03/03/2021, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
-
Size
1.4MB
-
MD5
f3da87fb27befc3df1eec757587fe93b
-
SHA1
798f0f6dba708beb6aee86469e5084b08d2e2714
-
SHA256
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
-
SHA512
51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
Score
10/10
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
resource yara_rule behavioral2/memory/3920-4-0x0000000000400000-0x0000000000435000-memory.dmp diamondfox behavioral2/memory/3920-3-0x00000000001C0000-0x00000000001F3000-memory.dmp diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/memory/3764-23-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/3764-23-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 188 MicrosoftEdgeCPS.exe 3284 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 2128 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 188 set thread context of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 set thread context of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 set thread context of 2128 188 MicrosoftEdgeCPS.exe 96 PID 3284 set thread context of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3284 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeIncreaseQuotaPrivilege 3272 wmic.exe Token: SeSecurityPrivilege 3272 wmic.exe Token: SeTakeOwnershipPrivilege 3272 wmic.exe Token: SeLoadDriverPrivilege 3272 wmic.exe Token: SeSystemProfilePrivilege 3272 wmic.exe Token: SeSystemtimePrivilege 3272 wmic.exe Token: SeProfSingleProcessPrivilege 3272 wmic.exe Token: SeIncBasePriorityPrivilege 3272 wmic.exe Token: SeCreatePagefilePrivilege 3272 wmic.exe Token: SeBackupPrivilege 3272 wmic.exe Token: SeRestorePrivilege 3272 wmic.exe Token: SeShutdownPrivilege 3272 wmic.exe Token: SeDebugPrivilege 3272 wmic.exe Token: SeSystemEnvironmentPrivilege 3272 wmic.exe Token: SeRemoteShutdownPrivilege 3272 wmic.exe Token: SeUndockPrivilege 3272 wmic.exe Token: SeManageVolumePrivilege 3272 wmic.exe Token: 33 3272 wmic.exe Token: 34 3272 wmic.exe Token: 35 3272 wmic.exe Token: 36 3272 wmic.exe Token: SeIncreaseQuotaPrivilege 3272 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2128 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe 78 PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe 78 PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe 78 PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe 79 PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe 79 PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe 79 PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe 81 PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe 81 PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe 81 PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe 83 PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe 83 PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe 83 PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe 85 PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe 85 PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe 85 PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe 87 PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe 87 PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe 87 PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe 89 PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe 89 PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe 89 PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe 91 PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe 91 PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe 91 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe 93 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe 94 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe 96 PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe 97 PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe 98 PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe 98 PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe 98 PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe 100 PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe 100 PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe"C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵PID:2096
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵PID:936
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵PID:2176
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵PID:4080
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵PID:200
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe4⤵PID:4092
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵PID:4044
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵PID:3908
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵PID:3004
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵PID:4028
-
-