Analysis
-
max time kernel
119s -
max time network
175s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-08-2021 17:16
Static task
static1
Behavioral task
behavioral1
Sample
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
Resource
win10v20210408
General
-
Target
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
-
Size
1.5MB
-
MD5
d04da71fa3ec4f986aebf533c7f500cd
-
SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
-
SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
-
SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule behavioral1/memory/2772-61-0x0000000000400000-0x000000000058A000-memory.dmp diamondfox behavioral1/memory/888-70-0x0000000000400000-0x000000000058A000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
Processes:
EdgeCommonService.exepid process 888 EdgeCommonService.exe -
Loads dropped DLL 3 IoCs
Processes:
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exepid process 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe 888 EdgeCommonService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
chrome.exepowershell.exepid process 2952 chrome.exe 1160 powershell.exe 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXEpowershell.exedescription pid process Token: 33 1296 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1296 AUDIODG.EXE Token: 33 1296 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1296 AUDIODG.EXE Token: SeDebugPrivilege 1160 powershell.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exepid process 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe 888 EdgeCommonService.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exedescription pid process target process PID 2772 wrote to memory of 888 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe EdgeCommonService.exe PID 2772 wrote to memory of 888 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe EdgeCommonService.exe PID 2772 wrote to memory of 888 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe EdgeCommonService.exe PID 2772 wrote to memory of 888 2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe EdgeCommonService.exe PID 888 wrote to memory of 1160 888 EdgeCommonService.exe powershell.exe PID 888 wrote to memory of 1160 888 EdgeCommonService.exe powershell.exe PID 888 wrote to memory of 1160 888 EdgeCommonService.exe powershell.exe PID 888 wrote to memory of 1160 888 EdgeCommonService.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe"C:\Users\Admin\AppData\Local\Temp\54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe"C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,12343350832012158813,10442529651844132122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5681⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exeMD5
d04da71fa3ec4f986aebf533c7f500cd
SHA1351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA25654cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
-
C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exeMD5
d04da71fa3ec4f986aebf533c7f500cd
SHA1351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA25654cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
-
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exeMD5
d04da71fa3ec4f986aebf533c7f500cd
SHA1351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA25654cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
-
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exeMD5
d04da71fa3ec4f986aebf533c7f500cd
SHA1351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA25654cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
-
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exeMD5
d04da71fa3ec4f986aebf533c7f500cd
SHA1351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA25654cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840
-
memory/888-70-0x0000000000400000-0x000000000058A000-memory.dmpFilesize
1.5MB
-
memory/888-65-0x0000000000000000-mapping.dmp
-
memory/1160-73-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1160-93-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB
-
memory/1160-109-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1160-71-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/1160-72-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/1160-108-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/1160-74-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/1160-75-0x0000000004822000-0x0000000004823000-memory.dmpFilesize
4KB
-
memory/1160-76-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1160-79-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/1160-84-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/1160-85-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1160-86-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1160-68-0x0000000000000000-mapping.dmp
-
memory/1160-94-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/2116-62-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/2772-59-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/2772-60-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2772-61-0x0000000000400000-0x000000000058A000-memory.dmpFilesize
1.5MB