Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

123rd48.exe

windows7_x64

10

123rd48.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19/01/2021, 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123rd48.exe

  • Size

    579KB

  • MD5

    de4b296cb2891bd1c3ed085ed648a62d

  • SHA1

    73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

  • SHA256

    63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

  • SHA512

    122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Score
10/10
diamondfoxbotnetspywarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 1 IoCs

    Detects DiamondFox payload in file/memory.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123rd48.exe
    "C:\Users\Admin\AppData\Local\Temp\123rd48.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\123rd48.exe' -Destination 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
        "C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1392
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:580
        • C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
          /scomma C:\Users\Admin\AppData\Local\gadoiud\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1640
        • C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
          /scomma C:\Users\Admin\AppData\Local\gadoiud\2.log
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:696
        • C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
          /scomma C:\Users\Admin\AppData\Local\gadoiud\3.log
          4⤵
          • Executes dropped EXE
          PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-71-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-70-0x0000000004842000-0x0000000004843000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-66-0x0000000072F90000-0x000000007367E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/580-90-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-89-0x0000000005840000-0x0000000005841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-88-0x0000000005830000-0x0000000005831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-76-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-73-0x00000000056B0000-0x00000000056B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-67-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-72-0x0000000005350000-0x0000000005351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-69-0x0000000004840000-0x0000000004841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-68-0x0000000004880000-0x0000000004881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/696-100-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/696-104-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/884-39-0x00000000002E0000-0x0000000000350000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1312-31-0x0000000006280000-0x0000000006281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-9-0x0000000000990000-0x0000000000991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-8-0x00000000741F0000-0x00000000748DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1312-10-0x00000000049E0000-0x00000000049E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-12-0x00000000049A2000-0x00000000049A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-13-0x00000000024E0000-0x00000000024E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-14-0x0000000004950000-0x0000000004951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-17-0x00000000056A0000-0x00000000056A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-22-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-23-0x0000000006080000-0x0000000006081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-24-0x0000000006140000-0x0000000006141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-32-0x00000000064D0000-0x00000000064D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-7-0x0000000076371000-0x0000000076373000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1312-11-0x00000000049A0000-0x00000000049A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-47-0x0000000004910000-0x0000000004911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-46-0x00000000049C0000-0x00000000049C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-48-0x0000000005340000-0x0000000005341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-49-0x0000000004980000-0x0000000004981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-50-0x0000000004982000-0x0000000004983000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-60-0x0000000006100000-0x0000000006101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-45-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-44-0x0000000073680000-0x0000000073D6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1620-96-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1640-92-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/1640-97-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/1832-4-0x0000000000220000-0x0000000000290000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1832-106-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1832-5-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1832-110-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download