Analysis
-
max time kernel
4294197s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Resource
win10v2004-20220310-en
General
-
Target
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
-
Size
963KB
-
MD5
a38a7e72a110324734a6a1f76e2c6e00
-
SHA1
849d24d21ac83486ce9ea730d97993e08d9733df
-
SHA256
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35
-
SHA512
faf091768e2057b36c458b84c8024c4d6ee8ea61ea49e3fab3258c9e977a8a22360ebc85a054adbbec6a8fba7aaf1e9b708ef719fc6fd113a2cb058e8744c894
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral1/memory/308-71-0x0000000000400000-0x0000000000436000-memory.dmp diamondfox behavioral1/memory/308-74-0x0000000000400000-0x0000000000436000-memory.dmp diamondfox behavioral1/memory/1220-111-0x0000000000400000-0x0000000000436000-memory.dmp diamondfox -
Executes dropped EXE 3 IoCs
pid Process 300 MicrosoftEdgeCPS.exe 1220 MicrosoftEdgeCPS.exe 1992 MicrosoftEdgeCPS.exe -
Deletes itself 1 IoCs
pid Process 608 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 300 MicrosoftEdgeCPS.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1924 set thread context of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 300 set thread context of 1220 300 MicrosoftEdgeCPS.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 1076 powershell.exe 608 powershell.exe 300 MicrosoftEdgeCPS.exe 1912 powershell.exe 1108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 300 MicrosoftEdgeCPS.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1924 wrote to memory of 532 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 29 PID 1924 wrote to memory of 532 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 29 PID 1924 wrote to memory of 532 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 29 PID 1924 wrote to memory of 532 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 29 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 1924 wrote to memory of 308 1924 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 30 PID 532 wrote to memory of 1076 532 WScript.exe 31 PID 532 wrote to memory of 1076 532 WScript.exe 31 PID 532 wrote to memory of 1076 532 WScript.exe 31 PID 532 wrote to memory of 1076 532 WScript.exe 31 PID 308 wrote to memory of 300 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 33 PID 308 wrote to memory of 300 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 33 PID 308 wrote to memory of 300 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 33 PID 308 wrote to memory of 300 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 33 PID 308 wrote to memory of 608 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 34 PID 308 wrote to memory of 608 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 34 PID 308 wrote to memory of 608 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 34 PID 308 wrote to memory of 608 308 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 34 PID 300 wrote to memory of 1260 300 MicrosoftEdgeCPS.exe 36 PID 300 wrote to memory of 1260 300 MicrosoftEdgeCPS.exe 36 PID 300 wrote to memory of 1260 300 MicrosoftEdgeCPS.exe 36 PID 300 wrote to memory of 1260 300 MicrosoftEdgeCPS.exe 36 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 300 wrote to memory of 1220 300 MicrosoftEdgeCPS.exe 37 PID 1260 wrote to memory of 1912 1260 WScript.exe 38 PID 1260 wrote to memory of 1912 1260 WScript.exe 38 PID 1260 wrote to memory of 1912 1260 WScript.exe 38 PID 1260 wrote to memory of 1912 1260 WScript.exe 38 PID 1220 wrote to memory of 1992 1220 MicrosoftEdgeCPS.exe 40 PID 1220 wrote to memory of 1992 1220 MicrosoftEdgeCPS.exe 40 PID 1220 wrote to memory of 1992 1220 MicrosoftEdgeCPS.exe 40 PID 1220 wrote to memory of 1992 1220 MicrosoftEdgeCPS.exe 40 PID 1220 wrote to memory of 1108 1220 MicrosoftEdgeCPS.exe 41 PID 1220 wrote to memory of 1108 1220 MicrosoftEdgeCPS.exe 41 PID 1220 wrote to memory of 1108 1220 MicrosoftEdgeCPS.exe 41 PID 1220 wrote to memory of 1108 1220 MicrosoftEdgeCPS.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
-
C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeC:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exeC:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"5⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe' -Force -Recurse3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-