Analysis Overview
SHA256
c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
Threat Level: Known bad
The file c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win7-20220901-en
Max time kernel
87s
Max time network
53s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1300 wrote to memory of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1300 wrote to memory of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1300 wrote to memory of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 1300 wrote to memory of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe
"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.193.88.150:80 | tcp | |
| N/A | 185.193.88.150:80 | tcp |
Files
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
memory/1300-55-0x000000000094A000-0x0000000000968000-memory.dmp
memory/1300-56-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1300-57-0x0000000000400000-0x000000000083B000-memory.dmp
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
memory/980-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
memory/1300-62-0x000000000094A000-0x0000000000968000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
memory/980-64-0x000000000094A000-0x0000000000968000-memory.dmp
memory/980-65-0x0000000000400000-0x000000000083B000-memory.dmp
memory/980-66-0x000000000094A000-0x0000000000968000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
memory/980-69-0x000000000094A000-0x0000000000968000-memory.dmp
memory/980-70-0x0000000000400000-0x000000000083B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4636 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4636 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4636 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe
"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1352
Network
| Country | Destination | Domain | Proto |
| N/A | 185.193.88.150:80 | tcp | |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 8.252.51.254:80 | tcp | |
| N/A | 8.253.183.120:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 13.107.21.200:443 | tcp |
Files
memory/4636-132-0x0000000000AC7000-0x0000000000AE5000-memory.dmp
memory/4636-133-0x0000000000CB0000-0x0000000000CE3000-memory.dmp
memory/4636-134-0x0000000000400000-0x000000000083B000-memory.dmp
memory/4408-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f792fde5cbdc10687e9858778866e89d |
| SHA1 | 9e3ec7dbc7b14607fbd9308f66307a36a41024db |
| SHA256 | c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 |
| SHA512 | bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475 |
memory/4408-138-0x0000000000936000-0x0000000000954000-memory.dmp
memory/4408-139-0x0000000000400000-0x000000000083B000-memory.dmp
memory/4636-140-0x0000000000AC7000-0x0000000000AE5000-memory.dmp
memory/4408-141-0x0000000000936000-0x0000000000954000-memory.dmp
memory/4408-142-0x0000000000936000-0x0000000000954000-memory.dmp
memory/4408-143-0x0000000000400000-0x000000000083B000-memory.dmp