Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 02:18
Behavioral task
behavioral1
Sample
040.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
040.exe
Resource
win10v2004-20230220-en
General
-
Target
040.exe
-
Size
212KB
-
MD5
433d77782664455b950e1508c0787f1a
-
SHA1
181103f2b8dd9a8bf954f22670f08c7193cb8e8f
-
SHA256
e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
-
SHA512
5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
-
SSDEEP
6144:BOHeBWJdskGtgUSxE916KEqYmFjvTBi9g6l:BO+B4it8xokZmFjvToKA
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral2/files/0x0004000000000737-136.dat diamondfox behavioral2/files/0x0004000000000737-137.dat diamondfox -
Executes dropped EXE 1 IoCs
pid Process 3216 MicrosoftEdgeCPS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 980 powershell.exe 980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2052 wrote to memory of 3216 2052 040.exe 88 PID 2052 wrote to memory of 3216 2052 040.exe 88 PID 2052 wrote to memory of 3216 2052 040.exe 88 PID 3216 wrote to memory of 980 3216 MicrosoftEdgeCPS.exe 89 PID 3216 wrote to memory of 980 3216 MicrosoftEdgeCPS.exe 89 PID 3216 wrote to memory of 980 3216 MicrosoftEdgeCPS.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\040.exe"C:\Users\Admin\AppData\Local\Temp\040.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
212KB
MD5433d77782664455b950e1508c0787f1a
SHA1181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA5125c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
-
Filesize
212KB
MD5433d77782664455b950e1508c0787f1a
SHA1181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA5125c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390