Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22/01/2021, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
Resource
win10v20201028
General
-
Target
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
-
Size
90KB
-
MD5
4dddf0bfbb7fff60a92926426a0754e4
-
SHA1
423f4f6b9c0805222b9577b52862af684030c002
-
SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788
-
SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 5 IoCs
Detects DiamondFox payload in file/memory.
resource yara_rule behavioral1/files/0x0004000000012fe2-31.dat diamondfox behavioral1/files/0x0004000000012fe2-34.dat diamondfox behavioral1/files/0x0004000000012fe2-32.dat diamondfox behavioral1/files/0x0004000000012fe2-58.dat diamondfox behavioral1/files/0x0004000000012fe2-57.dat diamondfox -
Executes dropped EXE 1 IoCs
pid Process 564 atiedxx.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe -
Loads dropped DLL 3 IoCs
pid Process 896 powershell.exe 896 powershell.exe 344 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 atiedxx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 atiedxx.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 896 powershell.exe 896 powershell.exe 344 powershell.exe 344 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 344 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe 564 atiedxx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 792 wrote to memory of 896 792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe 29 PID 792 wrote to memory of 896 792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe 29 PID 792 wrote to memory of 896 792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe 29 PID 792 wrote to memory of 896 792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe 29 PID 896 wrote to memory of 564 896 powershell.exe 31 PID 896 wrote to memory of 564 896 powershell.exe 31 PID 896 wrote to memory of 564 896 powershell.exe 31 PID 896 wrote to memory of 564 896 powershell.exe 31 PID 564 wrote to memory of 344 564 atiedxx.exe 32 PID 564 wrote to memory of 344 564 atiedxx.exe 32 PID 564 wrote to memory of 344 564 atiedxx.exe 32 PID 564 wrote to memory of 344 564 atiedxx.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
-