Overview

overview

10

Static

static

1607460946_Loade.exe

windows7_x64

10

1607460946_Loade.exe

windows10_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22/01/2021, 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1607460946_Loade.exe

  • Size

    140KB

  • MD5

    7bf6de1dc69718455fb90e9a30a9183d

  • SHA1

    3a7f90978908d56d2b689aede98572581442cb19

  • SHA256

    8ca67e40d0d3826efc58feb163760f994eae52731f74c2a3d0d45148a2996bb2

  • SHA512

    78d208eb831789a85d3a5920560fa7c7fe1385491830dbc1e6caac35bb7cba66692cdc1d6b9c06f12a80767e1fa78cb56f011ab9e982839976757fd6cc08ccd9

Score
10/10
diamondfoxbotnetransomwarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe
    "C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1607460946_Loade.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3892
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1544-13-0x0000000006F80000-0x0000000006F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-24-0x000000000A4D0000-0x000000000A4D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-11-0x0000000007200000-0x0000000007201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-12-0x0000000007360000-0x0000000007361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-14-0x0000000006F82000-0x0000000006F83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-15-0x0000000007C60000-0x0000000007C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-16-0x0000000007D90000-0x0000000007D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-17-0x0000000007C30000-0x0000000007C31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-18-0x0000000008150000-0x0000000008151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-19-0x00000000083B0000-0x00000000083B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-20-0x0000000009340000-0x0000000009341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-21-0x0000000009080000-0x0000000009081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-22-0x00000000090A0000-0x00000000090A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-23-0x0000000009950000-0x0000000009951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-10-0x00000000075C0000-0x00000000075C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-28-0x0000000006F83000-0x0000000006F84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-9-0x0000000004860000-0x0000000004861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1544-8-0x00000000731E0000-0x00000000738CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-36-0x0000000073450000-0x0000000073B3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-39-0x00000000069B0000-0x00000000069B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-40-0x00000000069B2000-0x00000000069B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-44-0x0000000007650000-0x0000000007651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-47-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-52-0x00000000069B3000-0x00000000069B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-29-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4040-2-0x0000000000940000-0x0000000000941000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4040-6-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4040-5-0x00000000001E0000-0x00000000001F8000-memory.dmp

    Filesize

    96KB

    Download