Overview

overview

10

Static

static

9526e9792b...bf.exe

windows7_x64

10

9526e9792b...bf.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe

  • Size

    1.4MB

  • MD5

    f3da87fb27befc3df1eec757587fe93b

  • SHA1

    798f0f6dba708beb6aee86469e5084b08d2e2714

  • SHA256

    9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

  • SHA512

    51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

Score
10/10
diamondfoxbotnetdiscoveryspywarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
    "C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:932
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" os get caption /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3272
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" path win32_VideoController get caption /FORMAT:List
        3⤵
          PID:2096
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
          3⤵
            PID:936
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
            3⤵
              PID:2176
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
              3⤵
                PID:4080
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                3⤵
                  PID:200
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:3284
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe
                    4⤵
                      PID:4092
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3764
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2128
                  • C:\Windows\SysWOW64\Wbem\wmic.exe
                    "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
                    3⤵
                      PID:4044
                    • C:\Windows\SysWOW64\Wbem\wmic.exe
                      "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                      3⤵
                        PID:3908
                      • C:\Windows\SysWOW64\Wbem\wmic.exe
                        "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
                        3⤵
                          PID:3004
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                          3⤵
                            PID:4028

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Credential Access

                      Credentials in Files

                      1
                      T1081

                      Discovery

                      Query Registry

                      1
                      T1012

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\EdgeCP\1.log
                        MD5

                        de4f4a0e812333a204277f4ca32e0f1e

                        SHA1

                        1987425deb61435c610d18fb63ac3d6d84f499b7

                        SHA256

                        028d1db1620f8e08f7c5b85f5c6ddd2d20afa5af4f852c4f300ab6ba79dcfa15

                        SHA512

                        888e2e7c3315ddff655a94f2d0276a852bd539582acd8758129d5b95f6dcf729eb82e56111c51bb5be8f3f5d4071f13b02151b08c1d0b8bb8dc0763d740df9c2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                        MD5

                        f3da87fb27befc3df1eec757587fe93b

                        SHA1

                        798f0f6dba708beb6aee86469e5084b08d2e2714

                        SHA256

                        9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

                        SHA512

                        51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                        MD5

                        f3da87fb27befc3df1eec757587fe93b

                        SHA1

                        798f0f6dba708beb6aee86469e5084b08d2e2714

                        SHA256

                        9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

                        SHA512

                        51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                        MD5

                        f3da87fb27befc3df1eec757587fe93b

                        SHA1

                        798f0f6dba708beb6aee86469e5084b08d2e2714

                        SHA256

                        9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

                        SHA512

                        51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                        MD5

                        f3da87fb27befc3df1eec757587fe93b

                        SHA1

                        798f0f6dba708beb6aee86469e5084b08d2e2714

                        SHA256

                        9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

                        SHA512

                        51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                        MD5

                        f3da87fb27befc3df1eec757587fe93b

                        SHA1

                        798f0f6dba708beb6aee86469e5084b08d2e2714

                        SHA256

                        9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf

                        SHA512

                        51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa

                        Download Submit
                      • memory/0-49-0x0000000000400000-0x0000000000455000-memory.dmp
                        Filesize

                        340KB

                        Download
                      • memory/0-52-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/0-48-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/0-47-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/0-74-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/0-64-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/0-50-0x0000000000400000-0x0000000000422000-memory.dmp
                        Filesize

                        136KB

                        Download
                      • memory/188-5-0x0000000000000000-mapping.dmp
                        Download
                      • memory/188-8-0x0000000000C70000-0x0000000000C71000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/200-17-0x0000000000000000-mapping.dmp
                        Download
                      • memory/932-11-0x0000000000000000-mapping.dmp
                        Download
                      • memory/936-14-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2096-13-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2128-30-0x0000000000400000-0x0000000000405000-memory.dmp
                        Filesize

                        20KB

                        Download
                      • memory/2128-31-0x0000000000401074-mapping.dmp
                        Download
                      • memory/2128-35-0x0000000000400000-0x0000000000405000-memory.dmp
                        Filesize

                        20KB

                        Download
                      • memory/2176-15-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3004-76-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3272-12-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3284-43-0x0000000000400000-0x000000000044D000-memory.dmp
                        Filesize

                        308KB

                        Download
                      • memory/3284-21-0x0000000000400000-0x0000000002BE9000-memory.dmp
                        Filesize

                        39.9MB

                        Download
                      • memory/3284-27-0x0000000002D70000-0x0000000002DE8000-memory.dmp
                        Filesize

                        480KB

                        Download
                      • memory/3284-40-0x00000000004D0000-0x0000000000559000-memory.dmp
                        Filesize

                        548KB

                        Download
                      • memory/3284-26-0x00000000031B0000-0x00000000031B1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/3284-42-0x0000000003140000-0x0000000003141000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/3284-18-0x0000000000400000-0x0000000002BE9000-memory.dmp
                        Filesize

                        39.9MB

                        Download
                      • memory/3284-44-0x00000000005B0000-0x00000000006F0000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/3284-19-0x00000000004043A8-mapping.dmp
                        Download
                      • memory/3284-28-0x0000000000400000-0x000000000047B000-memory.dmp
                        Filesize

                        492KB

                        Download
                      • memory/3764-23-0x00000000004466F4-mapping.dmp
                        Download
                      • memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmp
                        Filesize

                        496KB

                        Download
                      • memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmp
                        Filesize

                        496KB

                        Download
                      • memory/3908-73-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3920-2-0x0000000000B30000-0x0000000000B31000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/3920-3-0x00000000001C0000-0x00000000001F3000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/3920-4-0x0000000000400000-0x0000000000435000-memory.dmp
                        Filesize

                        212KB

                        Download
                      • memory/4028-77-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4044-72-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4080-16-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4092-46-0x0000027B62310000-0x0000027B623D9000-memory.dmp
                        Filesize

                        804KB

                        Download
                      • memory/4092-45-0x0000027B620B0000-0x0000027B620B1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/4092-41-0x0000000000000000-mapping.dmp
                        Download