Overview

overview

10

Static

static

SearchIndexer.exe

windows7_x64

10

SearchIndexer.exe

windows10_x64

9

Analysis

  • max time kernel
    147s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    23-07-2020 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SearchIndexer.exe

  • Size

    91KB

  • MD5

    1cc07a0274718e845c9b77f8334c4cb3

  • SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

  • SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

  • SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

Score
10/10
diamondfoxbotnetspywarestealer

Malware Config

Extracted

Family

diamondfox

C2

http://timesync.live/panel/gate.php

http://cartierxs.bit/panel/gate.php

http://salamsa.bit/panel/gate.php

http://rockababy.bit/panel/gate.php

http://minon.bit/panel/gate.php

http://bloxfox.bit/panel/gate.php

http://ggbbee.bit/panel/gate.php

http://locksock.bit/panel/gate.php

http://misosoup.bit/panel/gate.php

http://opseckes.bit/panel/gate.php

http://googletabmanager.com/panel/gate.php
Mutex

cyjJzYyDay1EfrkaW4HRyO6y4OufUKaS

xor.plain

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 11 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 6 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 68 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          4⤵
          • Executes dropped EXE
          PID:1348
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1240
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\2.log
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1888
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\3.log
          4⤵
          • Executes dropped EXE
          PID:1640
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\4.log
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a1733a9-c78a-41f9-ba49-7e78bc3e775b
    MD5

    597009ea0430a463753e0f5b1d1a249e

    SHA1

    4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

    SHA256

    3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

    SHA512

    5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596
    MD5

    b6d38f250ccc9003dd70efd3b778117f

    SHA1

    d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

    SHA256

    4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

    SHA512

    67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7
    MD5

    02ff38ac870de39782aeee04d7b48231

    SHA1

    0390d39fa216c9b0ecdb38238304e518fb2b5095

    SHA256

    fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

    SHA512

    24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_638d71a9-5345-4c51-851c-72a6822e822b
    MD5

    a725bb9fafcf91f3c6b7861a2bde6db2

    SHA1

    8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

    SHA256

    51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

    SHA512

    1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf
    MD5

    df44874327d79bd75e4264cb8dc01811

    SHA1

    1396b06debed65ea93c24998d244edebd3c0209d

    SHA256

    55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

    SHA512

    95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29
    MD5

    5e3c7184a75d42dda1a83606a45001d8

    SHA1

    94ca15637721d88f30eb4b6220b805c5be0360ed

    SHA256

    8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

    SHA512

    fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693
    MD5

    75a8da7754349b38d64c87c938545b1b

    SHA1

    5c28c257d51f1c1587e29164cc03ea880c21b417

    SHA256

    bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

    SHA512

    798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef
    MD5

    be4d72095faf84233ac17b94744f7084

    SHA1

    cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

    SHA256

    b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

    SHA512

    43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    79a0a99d5f68d81b9d768111a29335c8

    SHA1

    a8c63e1b365c4d8fe25893dafdb4284b0a3b7fb0

    SHA256

    c95cca17119c1c775ac191cf532f0226fe3ac8617458a038ce6b8148768a97e0

    SHA512

    13e5741fc12664b8004c339708901536e728c2b7aac2612f6033096b3bd2ff996ffddc41077a37fe785a8ee9787cf3e46190ea4ba1f029679281dc992b9af01b

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\1.log
    MD5

    4f7d90f045ae07792fb8d76bce925854

    SHA1

    c39b2866368f2c88c1865aa5577792bd2fb8bfe5

    SHA256

    df74b997137fec63589828cafa9df9bfe272b330ffb8743fa4db79096a0fdc34

    SHA512

    4ce48987acf465b7064d0162449eaf929b1e80dc760fe2da72e2841754a34536be5b2c17ade17d58e76c31bc9fdd6540820191395b9399287aabf4007274ae71

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    0a962bf962b0e3c753e89037b37e0b01

    SHA1

    7de721f9c56df4ac31946eaa8497a60a62cd8292

    SHA256

    e323bea4032f07056a44b6433b7880fa192914036e38c1e8978737685e7d5384

    SHA512

    5253db127a4bee4550e8b560d4d54132eab9f92db9af32d4d696592491268bfd8c74fdf999943a1db28d6128e1f79fa774317b0ddf0765f6637c728fa58d6596

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    0a962bf962b0e3c753e89037b37e0b01

    SHA1

    7de721f9c56df4ac31946eaa8497a60a62cd8292

    SHA256

    e323bea4032f07056a44b6433b7880fa192914036e38c1e8978737685e7d5384

    SHA512

    5253db127a4bee4550e8b560d4d54132eab9f92db9af32d4d696592491268bfd8c74fdf999943a1db28d6128e1f79fa774317b0ddf0765f6637c728fa58d6596

    Download Submit
  • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    MD5

    1cc07a0274718e845c9b77f8334c4cb3

    SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

    SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

    SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

    Download Submit
  • memory/832-29-0x0000000000000000-mapping.dmp
    Download
  • memory/1240-38-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1240-41-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1240-39-0x0000000000447D8A-mapping.dmp
    Download
  • memory/1348-34-0x00000000004014B0-mapping.dmp
    Download
  • memory/1348-36-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1348-33-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1348-37-0x0000000000360000-0x0000000000393000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1468-6-0x0000000006260000-0x0000000006270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1468-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1564-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1588-51-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1588-55-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1588-54-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1588-52-0x00000000004068E0-mapping.dmp
    Download
  • memory/1640-47-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1640-50-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1640-48-0x000000000041211A-mapping.dmp
    Download
  • memory/1828-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-46-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1888-44-0x0000000000413E10-mapping.dmp
    Download
  • memory/1888-43-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download