Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
27-03-2022 16:18
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220310-en
General
-
Target
new.exe
-
Size
204KB
-
MD5
8a40b88f514ef21f74052d22e2d98750
-
SHA1
524e636f22bb8a5c2f7947727d5f91dd3dd05972
-
SHA256
ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
-
SHA512
cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
-
resource yara_rule behavioral1/memory/1964-134-0x0000000000400000-0x0000000000437000-memory.dmp diamondfox behavioral1/files/0x000300000002060e-136.dat diamondfox behavioral1/files/0x000300000002060e-137.dat diamondfox behavioral1/memory/1228-138-0x0000000000400000-0x0000000000437000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 1228 MicrosoftEdgeCPS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1768 powershell.exe 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1228 1964 new.exe 85 PID 1964 wrote to memory of 1228 1964 new.exe 85 PID 1964 wrote to memory of 1228 1964 new.exe 85 PID 1228 wrote to memory of 1768 1228 MicrosoftEdgeCPS.exe 86 PID 1228 wrote to memory of 1768 1228 MicrosoftEdgeCPS.exe 86 PID 1228 wrote to memory of 1768 1228 MicrosoftEdgeCPS.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58a40b88f514ef21f74052d22e2d98750
SHA1524e636f22bb8a5c2f7947727d5f91dd3dd05972
SHA256ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
SHA512cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215
-
Filesize
204KB
MD58a40b88f514ef21f74052d22e2d98750
SHA1524e636f22bb8a5c2f7947727d5f91dd3dd05972
SHA256ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
SHA512cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215