Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 21:59
Static task
static1
Behavioral task
behavioral1
Sample
foo.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
foo.exe
Resource
win10v20210408
General
-
Target
foo.exe
-
Size
212KB
-
MD5
433d77782664455b950e1508c0787f1a
-
SHA1
181103f2b8dd9a8bf954f22670f08c7193cb8e8f
-
SHA256
e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
-
SHA512
5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 3 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
Executes dropped EXE 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 1308 MicrosoftEdgeCPS.exe -
Loads dropped DLL 2 IoCs
Processes:
foo.exepid process 1104 foo.exe 1104 foo.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1624 powershell.exe 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1624 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
foo.exeMicrosoftEdgeCPS.exedescription pid process target process PID 1104 wrote to memory of 1308 1104 foo.exe MicrosoftEdgeCPS.exe PID 1104 wrote to memory of 1308 1104 foo.exe MicrosoftEdgeCPS.exe PID 1104 wrote to memory of 1308 1104 foo.exe MicrosoftEdgeCPS.exe PID 1104 wrote to memory of 1308 1104 foo.exe MicrosoftEdgeCPS.exe PID 1308 wrote to memory of 1624 1308 MicrosoftEdgeCPS.exe powershell.exe PID 1308 wrote to memory of 1624 1308 MicrosoftEdgeCPS.exe powershell.exe PID 1308 wrote to memory of 1624 1308 MicrosoftEdgeCPS.exe powershell.exe PID 1308 wrote to memory of 1624 1308 MicrosoftEdgeCPS.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo.exe"C:\Users\Admin\AppData\Local\Temp\foo.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
433d77782664455b950e1508c0787f1a
SHA1181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA5125c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
433d77782664455b950e1508c0787f1a
SHA1181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA5125c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
433d77782664455b950e1508c0787f1a
SHA1181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA5125c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
-
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1308-63-0x0000000000000000-mapping.dmp
-
memory/1624-72-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/1624-76-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1624-69-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/1624-70-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1624-71-0x00000000048D2000-0x00000000048D3000-memory.dmpFilesize
4KB
-
memory/1624-66-0x0000000000000000-mapping.dmp
-
memory/1624-73-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1624-68-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/1624-81-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1624-82-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/1624-89-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/1624-90-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/1624-104-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1624-105-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1624-106-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB