Analysis Overview
SHA256
99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
Threat Level: Known bad
The file 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:41
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win10v2004-20220812-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe
"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1336
Network
| Country | Destination | Domain | Proto |
| N/A | 95.101.78.106:80 | tcp | |
| N/A | 185.193.88.150:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.44.10.122:443 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4808-132-0x0000000000BA7000-0x0000000000BC5000-memory.dmp
memory/4808-133-0x0000000000950000-0x0000000000983000-memory.dmp
memory/4808-134-0x0000000000400000-0x000000000083B000-memory.dmp
memory/1428-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
memory/1428-138-0x0000000000906000-0x0000000000924000-memory.dmp
memory/1428-139-0x0000000000400000-0x000000000083B000-memory.dmp
memory/4808-140-0x0000000000BA7000-0x0000000000BC5000-memory.dmp
memory/1428-141-0x0000000000906000-0x0000000000924000-memory.dmp
memory/1428-142-0x0000000000906000-0x0000000000924000-memory.dmp
memory/1428-143-0x0000000000400000-0x000000000083B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win7-20220901-en
Max time kernel
91s
Max time network
52s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1496 wrote to memory of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1496 wrote to memory of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1496 wrote to memory of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe
"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.193.88.150:80 | tcp | |
| N/A | 185.193.88.150:80 | tcp |
Files
memory/1496-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
memory/1496-56-0x0000000000840000-0x0000000000873000-memory.dmp
memory/1496-55-0x00000000002AA000-0x00000000002C8000-memory.dmp
memory/1496-57-0x0000000000400000-0x000000000083B000-memory.dmp
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
memory/276-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
memory/1496-62-0x00000000002AA000-0x00000000002C8000-memory.dmp
memory/276-64-0x00000000009EA000-0x0000000000A08000-memory.dmp
memory/276-65-0x0000000000400000-0x000000000083B000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | 16ee0affd90564a4bc174144b100af1b |
| SHA1 | 218c7b919ce938ab78afa6979895250f1f1cdea8 |
| SHA256 | 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a |
| SHA512 | 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3 |
memory/276-68-0x00000000009EA000-0x0000000000A08000-memory.dmp
memory/276-69-0x0000000000400000-0x000000000083B000-memory.dmp