Overview

overview

10

Static

static

1607460946_Loade.exe

windows7_x64

10

1607460946_Loade.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-01-2021 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1607460946_Loade.exe

  • Size

    140KB

  • MD5

    7bf6de1dc69718455fb90e9a30a9183d

  • SHA1

    3a7f90978908d56d2b689aede98572581442cb19

  • SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

  • SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

Score
10/10
diamondfoxbotnetransomwarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 90 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 97 IoCs
  • Suspicious use of SendNotifyMessage 96 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe
    "C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    e71a0a7e48b10bde0a9c54387762f33e

    SHA1

    fed75947f1163b00096e24a46e67d9c21e7eeebd

    SHA256

    83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

    SHA512

    394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    c2d06c11dd1f1a8b1dedc1a311ca8cdc

    SHA1

    75c07243f9cb80a9c7aed2865f9c5192cc920e7e

    SHA256

    91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

    SHA512

    db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    0174b2f89fcdf95f335569b808e8fa97

    SHA1

    08752008d7e70ad6b78514e7a0331610d8acecec

    SHA256

    20505a0708b310ae6e8363090705ea6fe60c851096f4b4555b4d6be368f169d1

    SHA512

    6716d0e93aab3b8103b0d220f742b12c32a4587f8fe9a6c5b338b0b48607594fab97aeac8e95711ee5f826e40abdc7f677c29c18b78f85a7a384ffdf3f6b3ca1

    Download Submit
  • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
    MD5

    7bf6de1dc69718455fb90e9a30a9183d

    SHA1

    3a7f90978908d56d2b689aede98572581442cb19

    SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

    SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk
    MD5

    ac9c83e0266393c1909db27248ad1ef8

    SHA1

    80f9fb3970a3033beb56da6aeb9ffdfe0dee43cb

    SHA256

    4f7e7fffe6e1d615783b3829cba180dae2c3975a5f0f31fc926e68ac60c90f95

    SHA512

    639593a2918c6131f8346c54161a3d56b41adc5d30d2d1328d99d3fdc66d90a4c14c8f74266daea5fbaaeb60d38c8891e90481edd371a55ee5db6da9bcad0744

    Download Submit
  • memory/648-2-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-6-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/648-5-0x00000000001C0000-0x00000000001D8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1924-13-0x00000000078A0000-0x00000000078A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-12-0x0000000007090000-0x0000000007091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-15-0x0000000007C60000-0x0000000007C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-16-0x0000000004812000-0x0000000004813000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-17-0x00000000079A0000-0x00000000079A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-18-0x0000000008420000-0x0000000008421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-19-0x00000000081F0000-0x00000000081F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-20-0x0000000009030000-0x0000000009031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-21-0x0000000008EF0000-0x0000000008EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-22-0x0000000008F50000-0x0000000008F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-23-0x0000000009600000-0x0000000009601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-24-0x000000000A180000-0x000000000A181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-14-0x0000000007910000-0x0000000007911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-11-0x0000000007200000-0x0000000007201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-28-0x0000000004813000-0x0000000004814000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-8-0x0000000073E00000-0x00000000744EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1924-9-0x0000000004710000-0x0000000004711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-10-0x0000000004810000-0x0000000004811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-36-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2592-42-0x0000000008060000-0x0000000008061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-34-0x0000000000000000-mapping.dmp
    Download
  • memory/2592-44-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-45-0x0000000004BB2000-0x0000000004BB3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-47-0x0000000008430000-0x0000000008431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2592-53-0x0000000004BB3000-0x0000000004BB4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-29-0x0000000000920000-0x0000000000921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-25-0x0000000000000000-mapping.dmp
    Download