Analysis Overview
SHA256
0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
Threat Level: Known bad
The file 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Executes dropped EXE
Loads dropped DLL
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win7-20220812-en
Max time kernel
85s
Max time network
46s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 580 wrote to memory of 996 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 580 wrote to memory of 996 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 580 wrote to memory of 996 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 580 wrote to memory of 996 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe
"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 176.111.174.247:80 | tcp | |
| N/A | 176.111.174.247:80 | tcp |
Files
memory/580-54-0x0000000002BA8000-0x0000000002BC6000-memory.dmp
memory/580-55-0x0000000075931000-0x0000000075933000-memory.dmp
memory/580-56-0x0000000002BA8000-0x0000000002BC6000-memory.dmp
memory/580-57-0x00000000002C0000-0x00000000002F3000-memory.dmp
memory/580-58-0x0000000000400000-0x0000000002AF4000-memory.dmp
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
memory/996-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
memory/580-63-0x0000000002BA8000-0x0000000002BC6000-memory.dmp
memory/996-64-0x0000000002C18000-0x0000000002C36000-memory.dmp
memory/996-66-0x0000000002C18000-0x0000000002C36000-memory.dmp
memory/996-67-0x0000000000400000-0x0000000002AF4000-memory.dmp
memory/996-68-0x0000000002C18000-0x0000000002C36000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
memory/996-71-0x0000000002C18000-0x0000000002C36000-memory.dmp
memory/996-72-0x0000000000400000-0x0000000002AF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:41
Reported
2023-01-29 19:43
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4344 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
| PID 4344 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe | C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe
"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 632 -ip 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1336
Network
| Country | Destination | Domain | Proto |
| N/A | 176.111.174.247:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp |
Files
memory/4344-132-0x0000000002DA3000-0x0000000002DC1000-memory.dmp
memory/4344-133-0x00000000001C0000-0x00000000001F3000-memory.dmp
memory/4344-134-0x0000000000400000-0x0000000002AF4000-memory.dmp
memory/632-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
| MD5 | f496c839f762140fc275be29a1307efe |
| SHA1 | b60b56caef87f24d07db7313d2e90011b662cb68 |
| SHA256 | 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 |
| SHA512 | 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068 |
memory/632-138-0x0000000002B82000-0x0000000002BA0000-memory.dmp
memory/632-139-0x0000000002B00000-0x0000000002B33000-memory.dmp
memory/632-140-0x0000000000400000-0x0000000002AF4000-memory.dmp
memory/4344-141-0x0000000002DA3000-0x0000000002DC1000-memory.dmp
memory/632-142-0x0000000002B82000-0x0000000002BA0000-memory.dmp
memory/632-143-0x0000000000400000-0x0000000002AF4000-memory.dmp