popup

Report - microsoftedgecps.exe

email stealer PSW Bot LokiBot ZeusBot Antivirus Steal credential ScreenShot Escalate priviledges Code injection KeyLogger AntiDebug AntiVM PE32 PE File JPEG Format GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.29 13:58 Machine s1_win7_x6401
Filename microsoftedgecps.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
11
 Behavior Score
23.6
ZERO API file : clean
VT API (file) 43 detected (AIDetect, malware2, malicious, high confidence, Fugrafa, Unsafe, Save, Rbot, Eldorado, Attribute, HighConfidence, ACSB, Snojan, ctjj, SpyEyes, iukpuu, TrojanX, Diamondfox, CLASSIC, Swizzor, AGEN, ASMalwS, Zbot, score, GenericRXOV, ai score=84, BScope, Static AI, Malicious PE, ZexaF, mqW@aS, FA6g, GdSda, confidence, susgen)
md5 b2600237508f0a8e5ca2c5c80018eaca
sha256 f0d5d648196be621082563732760402a0d8bb78629f0beb6b2e5386ed53a5976
ssdeep 6144:SnSNM0tFUkfgEYxE91e/QkqCh+FjvTBir+:SSN3zgpxooF3h+FjvTo6
imphash 8316bcd12417e59032ab566efaeaa8d5
impfuzzy 48:UMwtgGonqdAzE7UJtX76Ncp55V9O4GEdDI27t1CFD456wSZQHY/ega/1P3sqKtSQ:BwWFqdAzEQX76NcpHjPG0DIq3Xx3KK4
  Network IP location

Signature (51cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process powershell.exe wrote an executable file to disk
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process microsoftedgecps.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (24cnts)

Level Name Description Collection
warning infoStealer_emailClients_Zero email clients info stealer memory
watch Antivirus Contains references to security software binaries (download)
watch Antivirus Contains references to security software binaries (upload)
watch PWS_CnC_memory_Zero Communications PWS network memory
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Escalate_priviledges Escalate priviledges memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vba (no description) memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (32cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://diamond.serivice.com/panel/files/1624810178_ConsoleApp14.exe
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?f27=7723E01305C6
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpb=18
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpb=14
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpb=12
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?lpc=18
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=22
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?ct=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?lp=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=12
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?pcn=22
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=4
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=3
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=2
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=18
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 mailcious
http://diamond.serivice.com/panel/gate.php?pl=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpb=22
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?gpp=14
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?lpc=12
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?p=4
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?p=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?p=2
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?p=3
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?pcn=14
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?pcn=12
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?pcn=18
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
http://diamond.serivice.com/panel/gate.php?prf=1
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 clean
diamond.serivice.com
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 mailcious
34.227.13.244
whois
US AMAZON-AES 34.227.13.244 mailcious
195.133.40.146
whois
RU SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S. 195.133.40.146 mailcious

Suricata ids

ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE DiamondFox HTTP Post CnC Checkin M3
ET POLICY PE EXE or DLL Windows file download HTTP

PE API

IAT(Import Address Table) Library

MSVCRT.dll
 0x433870 memset
 0x433874 memcpy
 0x433878 wcslen
 0x43387c wcscpy
 0x433880 wcscat
 0x433884 wcscmp
 0x433888 memmove
 0x43388c wcschr
 0x433890 _CIlog
 0x433894 floor
 0x433898 ceil
 0x43389c _CIpow
 0x4338a0 strstr
 0x4338a4 strlen
 0x4338a8 _strnicmp
 0x4338ac strcmp
 0x4338b0 strncpy
 0x4338b4 strcpy
 0x4338b8 sprintf
 0x4338bc _wcsicmp
 0x4338c0 tolower
 0x4338c4 wcsncpy
 0x4338c8 fabs
 0x4338cc malloc
 0x4338d0 free
 0x4338d4 fseek
 0x4338d8 ftell
 0x4338dc fread
 0x4338e0 fclose
 0x4338e4 pow
 0x4338e8 ??3@YAXPAX@Z
 0x4338ec wcsncmp
 0x4338f0 wcsstr
 0x4338f4 _wcsnicmp
 0x4338f8 _wcsdup
 0x4338fc _isnan
 0x433900 _vsnwprintf
 0x433904 cos
 0x433908 fmod
 0x43390c sin
 0x433910 abs
KERNEL32.dll
 0x433918 GetModuleHandleW
 0x43391c HeapCreate
 0x433920 CreateMutexW
 0x433924 GetLastError
 0x433928 HeapDestroy
 0x43392c ExitProcess
 0x433930 CreateToolhelp32Snapshot
 0x433934 Process32FirstW
 0x433938 Process32NextW
 0x43393c GetCurrentProcessId
 0x433940 CloseHandle
 0x433944 GetTickCount
 0x433948 LoadLibraryW
 0x43394c GetDiskFreeSpaceExW
 0x433950 GetSystemPowerStatus
 0x433954 CreateProcessW
 0x433958 GetThreadContext
 0x43395c ReadProcessMemory
 0x433960 VirtualAllocEx
 0x433964 WriteProcessMemory
 0x433968 SetThreadContext
 0x43396c ResumeThread
 0x433970 TerminateProcess
 0x433974 GetModuleFileNameW
 0x433978 VirtualFree
 0x43397c VirtualAlloc
 0x433980 FreeLibrary
 0x433984 VirtualProtect
 0x433988 IsBadReadPtr
 0x43398c EnterCriticalSection
 0x433990 LeaveCriticalSection
 0x433994 InitializeCriticalSection
 0x433998 WaitForSingleObject
 0x43399c CreateThread
 0x4339a0 GetEnvironmentVariableW
 0x4339a4 SetEnvironmentVariableW
 0x4339a8 GetCurrentProcess
 0x4339ac DuplicateHandle
 0x4339b0 CreatePipe
 0x4339b4 GetStdHandle
 0x4339b8 HeapAlloc
 0x4339bc HeapFree
 0x4339c0 PeekNamedPipe
 0x4339c4 GetEnvironmentStringsW
 0x4339c8 FreeEnvironmentStringsW
 0x4339cc ReadFile
 0x4339d0 HeapReAlloc
 0x4339d4 TlsAlloc
 0x4339d8 TlsSetValue
 0x4339dc GetCurrentThreadId
 0x4339e0 TlsGetValue
 0x4339e4 GetProcAddress
 0x4339e8 Sleep
 0x4339ec GetSystemInfo
 0x4339f0 GlobalMemoryStatusEx
 0x4339f4 GetComputerNameW
 0x4339f8 CreateDirectoryW
 0x4339fc SetFileAttributesW
 0x433a00 CopyFileW
 0x433a04 DeleteFileW
 0x433a08 GetTempPathW
 0x433a0c GetDriveTypeW
 0x433a10 FindFirstFileW
 0x433a14 FindClose
 0x433a18 GetFileAttributesW
 0x433a1c WriteFile
 0x433a20 CreateFileW
 0x433a24 SetFilePointer
 0x433a28 GetFileSize
 0x433a2c WideCharToMultiByte
 0x433a30 GetVersionExW
 0x433a34 MultiByteToWideChar
 0x433a38 HeapSize
 0x433a3c TlsFree
 0x433a40 DeleteCriticalSection
 0x433a44 InterlockedCompareExchange
 0x433a48 InterlockedExchange
 0x433a4c SetLastError
 0x433a50 UnregisterWait
 0x433a54 GetCurrentThread
 0x433a58 RegisterWaitForSingleObject
gdiplus.dll
 0x433a60 GdiplusStartup
 0x433a64 GdipCreateBitmapFromFile
 0x433a68 GdipSaveImageToFile
 0x433a6c GdipDisposeImage
 0x433a70 GdiplusShutdown
 0x433a74 GdipDeleteFont
 0x433a78 GdipDeleteGraphics
 0x433a7c GdipDeletePath
 0x433a80 GdipDeleteMatrix
 0x433a84 GdipDeletePen
 0x433a88 GdipDeleteStringFormat
 0x433a8c GdipFree
 0x433a90 GdipGetDpiX
 0x433a94 GdipGetDpiY
USER32.DLL
 0x433a9c GetSystemMetrics
 0x433aa0 GetCursorPos
 0x433aa4 GetDC
 0x433aa8 ReleaseDC
 0x433aac DestroyIcon
 0x433ab0 FillRect
 0x433ab4 CharUpperW
 0x433ab8 CharLowerW
 0x433abc GetIconInfo
 0x433ac0 DrawIconEx
GDI32.DLL
 0x433ac8 BitBlt
 0x433acc GetObjectType
 0x433ad0 DeleteObject
 0x433ad4 GetObjectW
 0x433ad8 CreateCompatibleDC
 0x433adc SelectObject
 0x433ae0 CreateSolidBrush
 0x433ae4 DeleteDC
 0x433ae8 GdiGetBatchLimit
 0x433aec GdiSetBatchLimit
 0x433af0 CreateDIBSection
 0x433af4 CreateBitmap
 0x433af8 SetPixel
 0x433afc GetStockObject
 0x433b00 GetDIBits
 0x433b04 CreateDCW
 0x433b08 GetDeviceCaps
 0x433b0c GetTextExtentPoint32W
 0x433b10 SetBkMode
 0x433b14 SetTextAlign
 0x433b18 SetBkColor
 0x433b1c SetTextColor
 0x433b20 TextOutW
 0x433b24 SetStretchBltMode
 0x433b28 SetBrushOrgEx
 0x433b2c StretchBlt
 0x433b30 CreateFontIndirectW
 0x433b34 GetTextMetricsW
 0x433b38 CreateCompatibleBitmap
 0x433b3c GetPixel
ADVAPI32.DLL
 0x433b44 RegOpenKeyExW
 0x433b48 RegCloseKey
 0x433b4c RegQueryInfoKeyW
 0x433b50 RegEnumKeyExW
 0x433b54 RegQueryValueExW
 0x433b58 GetUserNameW
SHELL32.DLL
 0x433b60 SHGetSpecialFolderLocation
 0x433b64 SHGetPathFromIDListW
 0x433b68 ShellExecuteExW
WSOCK32.DLL
 0x433b70 closesocket
 0x433b74 WSACleanup
 0x433b78 WSAStartup
WINMM.DLL
 0x433b80 timeBeginPeriod
SHLWAPI.DLL
 0x433b88 PathFileExistsW
OLE32.DLL
 0x433b90 CoInitialize
 0x433b94 CoCreateInstance
 0x433b98 CoUninitialize
 0x433b9c CoTaskMemFree
NTDLL.DLL
 0x433ba4 ZwUnmapViewOfSection
SETUPAPI.DLL
 0x433bac IsUserAdmin
URLMON.DLL
 0x433bb4 URLDownloadToFileW
WININET.DLL
 0x433bbc InternetOpenW
 0x433bc0 InternetSetOptionW
 0x433bc4 InternetConnectW
 0x433bc8 HttpOpenRequestW
 0x433bcc HttpAddRequestHeadersW
 0x433bd0 HttpSendRequestW
 0x433bd4 InternetReadFile
 0x433bd8 InternetCloseHandle
 0x433bdc InternetGetConnectedState

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure