Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
27-03-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-en-20220113
General
-
Target
new.exe
-
Size
204KB
-
MD5
8a40b88f514ef21f74052d22e2d98750
-
SHA1
524e636f22bb8a5c2f7947727d5f91dd3dd05972
-
SHA256
ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
-
SHA512
cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral1/memory/3864-130-0x0000000000400000-0x0000000000437000-memory.dmp diamondfox behavioral1/files/0x000500000001e7cd-132.dat diamondfox behavioral1/files/0x000500000001e7cd-133.dat diamondfox behavioral1/memory/1364-137-0x0000000000400000-0x0000000000437000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 1364 MicrosoftEdgeCPS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1568 powershell.exe 1568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1568 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3864 wrote to memory of 1364 3864 new.exe 83 PID 3864 wrote to memory of 1364 3864 new.exe 83 PID 3864 wrote to memory of 1364 3864 new.exe 83 PID 1364 wrote to memory of 1568 1364 MicrosoftEdgeCPS.exe 84 PID 1364 wrote to memory of 1568 1364 MicrosoftEdgeCPS.exe 84 PID 1364 wrote to memory of 1568 1364 MicrosoftEdgeCPS.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58a40b88f514ef21f74052d22e2d98750
SHA1524e636f22bb8a5c2f7947727d5f91dd3dd05972
SHA256ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
SHA512cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215
-
Filesize
204KB
MD58a40b88f514ef21f74052d22e2d98750
SHA1524e636f22bb8a5c2f7947727d5f91dd3dd05972
SHA256ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
SHA512cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215