Overview

overview

10

Static

static

1607460946_Loade.exe

windows7_x64

10

1607460946_Loade.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1607460946_Loade.exe

  • Size

    140KB

  • MD5

    7bf6de1dc69718455fb90e9a30a9183d

  • SHA1

    3a7f90978908d56d2b689aede98572581442cb19

  • SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

  • SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

Score
10/10
diamondfoxbotnetransomwarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe
    "C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1028
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
    MD5

    597009ea0430a463753e0f5b1d1a249e

    SHA1

    4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

    SHA256

    3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

    SHA512

    5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
    MD5

    02ff38ac870de39782aeee04d7b48231

    SHA1

    0390d39fa216c9b0ecdb38238304e518fb2b5095

    SHA256

    fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

    SHA512

    24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
    MD5

    df44874327d79bd75e4264cb8dc01811

    SHA1

    1396b06debed65ea93c24998d244edebd3c0209d

    SHA256

    55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

    SHA512

    95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
    MD5

    75a8da7754349b38d64c87c938545b1b

    SHA1

    5c28c257d51f1c1587e29164cc03ea880c21b417

    SHA256

    bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

    SHA512

    798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
    MD5

    5e3c7184a75d42dda1a83606a45001d8

    SHA1

    94ca15637721d88f30eb4b6220b805c5be0360ed

    SHA256

    8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

    SHA512

    fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
    MD5

    b6d38f250ccc9003dd70efd3b778117f

    SHA1

    d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

    SHA256

    4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

    SHA512

    67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
    MD5

    be4d72095faf84233ac17b94744f7084

    SHA1

    cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

    SHA256

    b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

    SHA512

    43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
    MD5

    a725bb9fafcf91f3c6b7861a2bde6db2

    SHA1

    8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

    SHA256

    51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

    SHA512

    1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    ac05eb7f4008248548aebc4c1c2ced1c

    SHA1

    ace4f24e6be478346b68343f3b71a799326ae061

    SHA256

    247f0cc0ebd5eed83e65a7ae368a593c740ba5b451dfe4ac7792447cc8871590

    SHA512

    eeb13849d7d2506630d8eaaa91a061d87de3bb57f45bc05b5fe5c5edb84bc4799ddb225ace01dd868e7b95917e45ebb341834db5c78bb9e8a7b7484e0fa0f99f

    Download Submit
  • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    f07ca1d50a70cbffd891c19b2dd214c3

    SHA1

    86d146310d05b2b5b472c8cc3183ff107a460f90

    SHA256

    1f7bc6dcff1dd2aa3b6bd54e460a58fde05f6a965c64404d719ee44b235fee05

    SHA512

    f3381498ef4399f6d56c8a4c442952c9b1f9bb4957a8a9e5af70af1c372c1053ff2f76f9c345ac700d01f0bd7a943f466e9142dee6b35c2a85c8c7a96ad40c23

    Download Submit
  • \Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • \Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • \Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • memory/792-15-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-14-0x0000000002590000-0x0000000002591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-33-0x0000000006390000-0x0000000006391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-31-0x0000000005820000-0x0000000005821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-24-0x00000000061F0000-0x00000000061F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-7-0x0000000000000000-mapping.dmp
    Download
  • memory/792-23-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-8-0x00000000760B1000-0x00000000760B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/792-32-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-18-0x0000000005640000-0x0000000005641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-9-0x0000000073E90000-0x000000007457E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/792-10-0x0000000002010000-0x0000000002011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-11-0x0000000004800000-0x0000000004801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-12-0x0000000004802000-0x0000000004803000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-13-0x0000000004840000-0x0000000004841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-43-0x0000000000000000-mapping.dmp
    Download
  • memory/1028-47-0x0000000000790000-0x0000000000791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-62-0x00000000057D0000-0x00000000057D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-51-0x0000000000752000-0x0000000000753000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-50-0x0000000000750000-0x0000000000751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-49-0x0000000005120000-0x0000000005121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-48-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-52-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-46-0x0000000073EC0000-0x00000000745AE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1448-65-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1592-38-0x0000000000650000-0x0000000000661000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1592-36-0x0000000000000000-mapping.dmp
    Download
  • memory/1864-2-0x0000000000710000-0x0000000000721000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1864-6-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1864-5-0x0000000000020000-0x0000000000038000-memory.dmp
    Filesize

    96KB

    Download