SearchIndexer.exe

General
Target

SearchIndexer.exe

Filesize

91KB

Completed

12-08-2020 13:50

Score
10 /10
MD5

1cc07a0274718e845c9b77f8334c4cb3

SHA1

12b6c08371fd4661ed2da442e7ec34f226d7ac01

SHA256

b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

Malware Config

Extracted

Family diamondfox
C2

http://timesync.live/panel/gate.php

http://cartierxs.bit/panel/gate.php

http://salamsa.bit/panel/gate.php

http://rockababy.bit/panel/gate.php

http://minon.bit/panel/gate.php

http://bloxfox.bit/panel/gate.php

http://ggbbee.bit/panel/gate.php

http://locksock.bit/panel/gate.php

http://misosoup.bit/panel/gate.php

http://opseckes.bit/panel/gate.php

http://googletabmanager.com/panel/gate.php
xor.plain
Signatures 10

Filter: none

Collection
Credential Access
  • DiamondFox

    Description

    DiamondFox is a multipurpose botnet with many capabilities.

    Tags

  • Executes dropped EXE
    SearchIndexer.exeSearchIndexer.exeSearchIndexer.exeSearchIndexer.exeSearchIndexer.exe

    Reported IOCs

    pidprocess
    1304SearchIndexer.exe
    1808SearchIndexer.exe
    1236SearchIndexer.exe
    1680SearchIndexer.exe
    1380SearchIndexer.exe
  • Drops startup file
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnkpowershell.exe
  • Loads dropped DLL
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    984powershell.exe
    984powershell.exe
    1592powershell.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    SearchIndexer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 set thread context of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 set thread context of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 set thread context of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 set thread context of 13801304SearchIndexer.exeSearchIndexer.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exePowershell.exeSearchIndexer.exe

    Reported IOCs

    pidprocess
    984powershell.exe
    984powershell.exe
    1592powershell.exe
    1592powershell.exe
    1072Powershell.exe
    1072Powershell.exe
    1236SearchIndexer.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exePowershell.exeSearchIndexer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege984powershell.exe
    Token: SeDebugPrivilege1592powershell.exe
    Token: SeDebugPrivilege1072Powershell.exe
    Token: SeDebugPrivilege1680SearchIndexer.exe
  • Suspicious use of SetWindowsHookEx
    SearchIndexer.exeSearchIndexer.exe

    Reported IOCs

    pidprocess
    1508SearchIndexer.exe
    1304SearchIndexer.exe
  • Suspicious use of WriteProcessMemory
    SearchIndexer.exepowershell.exeSearchIndexer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1508 wrote to memory of 9841508SearchIndexer.exepowershell.exe
    PID 1508 wrote to memory of 9841508SearchIndexer.exepowershell.exe
    PID 1508 wrote to memory of 9841508SearchIndexer.exepowershell.exe
    PID 1508 wrote to memory of 9841508SearchIndexer.exepowershell.exe
    PID 984 wrote to memory of 1304984powershell.exeSearchIndexer.exe
    PID 984 wrote to memory of 1304984powershell.exeSearchIndexer.exe
    PID 984 wrote to memory of 1304984powershell.exeSearchIndexer.exe
    PID 984 wrote to memory of 1304984powershell.exeSearchIndexer.exe
    PID 1304 wrote to memory of 15921304SearchIndexer.exepowershell.exe
    PID 1304 wrote to memory of 15921304SearchIndexer.exepowershell.exe
    PID 1304 wrote to memory of 15921304SearchIndexer.exepowershell.exe
    PID 1304 wrote to memory of 15921304SearchIndexer.exepowershell.exe
    PID 1304 wrote to memory of 10721304SearchIndexer.exePowershell.exe
    PID 1304 wrote to memory of 10721304SearchIndexer.exePowershell.exe
    PID 1304 wrote to memory of 10721304SearchIndexer.exePowershell.exe
    PID 1304 wrote to memory of 10721304SearchIndexer.exePowershell.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 18081304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 12361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 16801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13801304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13361304SearchIndexer.exeSearchIndexer.exe
    PID 1304 wrote to memory of 13361304SearchIndexer.exeSearchIndexer.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:984
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';$shortcut.Save()
          Drops startup file
          Loads dropped DLL
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1072
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          Executes dropped EXE
          PID:1808
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\1.log
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          PID:1236
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\2.log
          Executes dropped EXE
          Suspicious use of AdjustPrivilegeToken
          PID:1680
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\3.log
          Executes dropped EXE
          PID:1380
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\4.log
          PID:1336
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a1733a9-c78a-41f9-ba49-7e78bc3e775b

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_638d71a9-5345-4c51-851c-72a6822e822b

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

                        Download

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\1.log

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                        Download

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                        Download

                      • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • \Users\Admin\AppData\Local\xerasr\SearchIndexer.exe

                        Download

                      • memory/984-23-0x0000000006290000-0x0000000006291000-memory.dmp

                        Download

                      • memory/984-3-0x00000000742D0000-0x00000000749BE000-memory.dmp

                        Download

                      • memory/984-2-0x0000000000000000-mapping.dmp

                        Download

                      • memory/984-16-0x00000000060B0000-0x00000000060B1000-memory.dmp

                        Download

                      • memory/984-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

                        Download

                      • memory/984-10-0x0000000005660000-0x0000000005661000-memory.dmp

                        Download

                      • memory/984-7-0x00000000052C0000-0x00000000052C1000-memory.dmp

                        Download

                      • memory/984-6-0x0000000002580000-0x0000000002581000-memory.dmp

                        Download

                      • memory/984-15-0x0000000006060000-0x0000000006061000-memory.dmp

                        Download

                      • memory/984-5-0x0000000004890000-0x0000000004891000-memory.dmp

                        Download

                      • memory/984-24-0x00000000062D0000-0x00000000062D1000-memory.dmp

                        Download

                      • memory/1072-57-0x0000000004A10000-0x0000000004A11000-memory.dmp

                        Download

                      • memory/1072-74-0x0000000006290000-0x0000000006291000-memory.dmp

                        Download

                      • memory/1072-58-0x0000000005730000-0x0000000005731000-memory.dmp

                        Download

                      • memory/1072-73-0x0000000006280000-0x0000000006281000-memory.dmp

                        Download

                      • memory/1072-53-0x0000000073580000-0x0000000073C6E000-memory.dmp

                        Download

                      • memory/1072-54-0x0000000002380000-0x0000000002381000-memory.dmp

                        Download

                      • memory/1072-61-0x00000000061A0000-0x00000000061A1000-memory.dmp

                        Download

                      • memory/1072-56-0x0000000002640000-0x0000000002641000-memory.dmp

                        Download

                      • memory/1072-51-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1072-55-0x0000000004B80000-0x0000000004B81000-memory.dmp

                        Download

                      • memory/1236-83-0x0000000000400000-0x0000000000477000-memory.dmp

                        Download

                      • memory/1236-81-0x0000000000447D8A-mapping.dmp

                        Download

                      • memory/1236-80-0x0000000000400000-0x0000000000477000-memory.dmp

                        Download

                      • memory/1304-27-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1380-89-0x0000000000400000-0x000000000041C000-memory.dmp

                        Download

                      • memory/1380-90-0x000000000041211A-mapping.dmp

                        Download

                      • memory/1380-92-0x0000000000400000-0x000000000041C000-memory.dmp

                        Download

                      • memory/1592-32-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1592-36-0x00000000048D0000-0x00000000048D1000-memory.dmp

                        Download

                      • memory/1592-37-0x00000000026D0000-0x00000000026D1000-memory.dmp

                        Download

                      • memory/1592-35-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                        Download

                      • memory/1592-38-0x0000000005340000-0x0000000005341000-memory.dmp

                        Download

                      • memory/1592-34-0x0000000073F10000-0x00000000745FE000-memory.dmp

                        Download

                      • memory/1592-48-0x0000000005820000-0x0000000005821000-memory.dmp

                        Download

                      • memory/1680-86-0x0000000000413E10-mapping.dmp

                        Download

                      • memory/1680-88-0x0000000000400000-0x0000000000422000-memory.dmp

                        Download

                      • memory/1680-85-0x0000000000400000-0x0000000000422000-memory.dmp

                        Download

                      • memory/1808-79-0x0000000000220000-0x0000000000253000-memory.dmp

                        Download

                      • memory/1808-78-0x0000000000400000-0x000000000044B000-memory.dmp

                        Download

                      • memory/1808-76-0x00000000004014B0-mapping.dmp

                        Download

                      • memory/1808-75-0x0000000000400000-0x000000000044B000-memory.dmp

                        Download