Overview

overview

10

Static

static

10

SearchIndexer.exe

windows7_x64

10

SearchIndexer.exe

windows10_x64

10

Resubmissions

19-09-2021 03:58

210919-ejryxachcm 10

19-09-2021 01:27

210919-bvbjhscgel 10

19-09-2021 01:24

210919-bsvvdaaba9 10

12-08-2020 13:47

200812-vc8ftkz17s 10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    12-08-2020 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SearchIndexer.exe

  • Size

    91KB

  • MD5

    1cc07a0274718e845c9b77f8334c4cb3

  • SHA1

    12b6c08371fd4661ed2da442e7ec34f226d7ac01

  • SHA256

    b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

  • SHA512

    0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

Score
10/10
spywarebotnetstealerdiamondfox

Malware Config

Extracted

Family

diamondfox

C2

http://timesync.live/panel/gate.php

http://cartierxs.bit/panel/gate.php

http://salamsa.bit/panel/gate.php

http://rockababy.bit/panel/gate.php

http://minon.bit/panel/gate.php

http://bloxfox.bit/panel/gate.php

http://ggbbee.bit/panel/gate.php

http://locksock.bit/panel/gate.php

http://misosoup.bit/panel/gate.php

http://opseckes.bit/panel/gate.php

http://googletabmanager.com/panel/gate.php
Mutex

cyjJzYyDay1EfrkaW4HRyO6y4OufUKaS

xor.plain

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:896
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          4⤵
          • Executes dropped EXE
          PID:1540
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1044
        • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
          /scomma C:\Users\Admin\AppData\Local\xerasr\2.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\1.log
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    Download Submit
  • memory/896-59-0x0000000008EF0000-0x0000000008EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-49-0x00000000083E0000-0x00000000083E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-46-0x0000000007A90000-0x0000000007A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-40-0x0000000073290000-0x000000007397E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/896-39-0x0000000000000000-mapping.dmp
    Download
  • memory/896-52-0x0000000008F60000-0x0000000008F93000-memory.dmp
    Filesize

    204KB

    Download
  • memory/896-60-0x0000000009290000-0x0000000009291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-62-0x0000000006C50000-0x0000000006C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/896-64-0x0000000006C40000-0x0000000006C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-14-0x00000000090D0000-0x00000000090D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-8-0x0000000007BE0000-0x0000000007BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-3-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/972-4-0x0000000004920000-0x0000000004921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-5-0x00000000073D0000-0x00000000073D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-6-0x0000000007370000-0x0000000007371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-17-0x000000000A580000-0x000000000A581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-16-0x0000000009A00000-0x0000000009A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-15-0x0000000009130000-0x0000000009131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-2-0x0000000000000000-mapping.dmp
    Download
  • memory/972-13-0x00000000091F0000-0x00000000091F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-12-0x00000000084E0000-0x00000000084E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-11-0x0000000008490000-0x0000000008491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-10-0x0000000008000000-0x0000000008001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-9-0x0000000007C50000-0x0000000007C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/972-7-0x0000000007A70000-0x0000000007A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1044-74-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1044-72-0x0000000000447D8A-mapping.dmp
    Download
  • memory/1044-71-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1372-18-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-69-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1540-70-0x0000000000450000-0x0000000000483000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1540-66-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1540-67-0x00000000004014B0-mapping.dmp
    Download
  • memory/3304-34-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3304-23-0x0000000000000000-mapping.dmp
    Download
  • memory/3304-31-0x0000000007720000-0x0000000007721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3304-25-0x0000000073370000-0x0000000073A5E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4000-76-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4000-77-0x0000000000413E10-mapping.dmp
    Download
  • memory/4000-79-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download