Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

setup.exe

windows7_x64

10

setup.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17/11/2020, 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    90KB

  • MD5

    1d5b46ff3cd12fd31362557299d6f488

  • SHA1

    42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

  • SHA256

    2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

  • SHA512

    4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Score
10/10
diamondfoxbotnetdiscoveryspywarestealer

Malware Config

Extracted

Family

diamondfox

C2

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php
Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 7 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 6 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\setup.exe' -Destination 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3696
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:428
        • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:520
        • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\tiedaxx\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3296
        • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\tiedaxx\2.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3948
        • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\tiedaxx\3.log
          4⤵
          • Executes dropped EXE
          PID:1008
        • C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\tiedaxx\4.log
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/188-9-0x0000000007850000-0x0000000007851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-11-0x0000000008290000-0x0000000008291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-16-0x00000000093C0000-0x00000000093C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-17-0x0000000009F40000-0x0000000009F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-14-0x0000000008D00000-0x0000000008D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-13-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-12-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-15-0x0000000008D20000-0x0000000008D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-10-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-8-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-7-0x00000000070B0000-0x00000000070B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-6-0x0000000006F30000-0x0000000006F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-5-0x0000000007120000-0x0000000007121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-4-0x0000000001080000-0x0000000001081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-3-0x0000000072860000-0x0000000072F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/428-40-0x0000000071CE0000-0x00000000723CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/428-64-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-49-0x0000000007E00000-0x0000000007E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-52-0x00000000089E0000-0x0000000008A13000-memory.dmp

    Filesize

    204KB

    Download

  • memory/428-59-0x00000000089A0000-0x00000000089A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-60-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-62-0x0000000008E60000-0x0000000008E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/428-46-0x0000000007510000-0x0000000007511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1008-80-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1008-83-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2076-66-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3296-74-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3296-71-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3696-34-0x00000000084E0000-0x00000000084E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-25-0x0000000072500000-0x0000000072BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3696-31-0x0000000007A80000-0x0000000007A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3948-79-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3948-76-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4056-84-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4056-87-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4056-88-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download