Overview

overview

10

Static

static

10

SearchIndexer.exe

windows7_x64

10

SearchIndexer.exe

windows10_x64

10

Resubmissions

19-09-2021 03:58

210919-ejryxachcm 10

19-09-2021 01:27

210919-bvbjhscgel 10

19-09-2021 01:24

210919-bsvvdaaba9 10

12-08-2020 13:47

200812-vc8ftkz17s 10

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    12-08-2020 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SearchIndexer.exe

  • Size

    91KB

  • MD5

    1cc07a0274718e845c9b77f8334c4cb3

  • SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

  • SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

  • SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

Score
10/10
spywarebotnetstealerdiamondfox

Malware Config

Extracted

Family

diamondfox

C2

http://timesync.live/panel/gate.php

http://cartierxs.bit/panel/gate.php

http://salamsa.bit/panel/gate.php

http://rockababy.bit/panel/gate.php

http://minon.bit/panel/gate.php

http://bloxfox.bit/panel/gate.php

http://ggbbee.bit/panel/gate.php

http://locksock.bit/panel/gate.php

http://misosoup.bit/panel/gate.php

http://opseckes.bit/panel/gate.php

http://googletabmanager.com/panel/gate.php
Mutex

cyjJzYyDay1EfrkaW4HRyO6y4OufUKaS

xor.plain

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • Executes dropped EXE 5 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1072
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          4⤵
          • Executes dropped EXE
          PID:1808
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1236
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\2.log
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\3.log
          4⤵
          • Executes dropped EXE
          PID:1380
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\4.log
          4⤵
            PID:1336

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a1733a9-c78a-41f9-ba49-7e78bc3e775b
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_638d71a9-5345-4c51-851c-72a6822e822b
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\1.log
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Download Submit

    • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      Download Submit

    • memory/984-5-0x0000000004890000-0x0000000004891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-6-0x0000000002580000-0x0000000002581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-2-0x0000000000000000-mapping.dmp

      Download

    • memory/984-7-0x00000000052C0000-0x00000000052C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-10-0x0000000005660000-0x0000000005661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-15-0x0000000006060000-0x0000000006061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-24-0x00000000062D0000-0x00000000062D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-23-0x0000000006290000-0x0000000006291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-16-0x00000000060B0000-0x00000000060B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-3-0x00000000742D0000-0x00000000749BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1072-57-0x0000000004A10000-0x0000000004A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-58-0x0000000005730000-0x0000000005731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-51-0x0000000000000000-mapping.dmp

      Download

    • memory/1072-74-0x0000000006290000-0x0000000006291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-53-0x0000000073580000-0x0000000073C6E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1072-54-0x0000000002380000-0x0000000002381000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-55-0x0000000004B80000-0x0000000004B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-56-0x0000000002640000-0x0000000002641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-73-0x0000000006280000-0x0000000006281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1072-61-0x00000000061A0000-0x00000000061A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-80-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/1236-83-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/1236-81-0x0000000000447D8A-mapping.dmp

      Download

    • memory/1304-27-0x0000000000000000-mapping.dmp

      Download

    • memory/1380-92-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1380-90-0x000000000041211A-mapping.dmp

      Download

    • memory/1380-89-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1592-32-0x0000000000000000-mapping.dmp

      Download

    • memory/1592-37-0x00000000026D0000-0x00000000026D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-35-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-34-0x0000000073F10000-0x00000000745FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1592-48-0x0000000005820000-0x0000000005821000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-38-0x0000000005340000-0x0000000005341000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-36-0x00000000048D0000-0x00000000048D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-86-0x0000000000413E10-mapping.dmp

      Download

    • memory/1680-88-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1680-85-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1808-79-0x0000000000220000-0x0000000000253000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1808-76-0x00000000004014B0-mapping.dmp

      Download

    • memory/1808-75-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1808-78-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download