Overview

overview

10

Static

static

10

f24b905fb5...88.exe

windows7_x64

10

f24b905fb5...88.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22/01/2021, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe

  • Size

    90KB

  • MD5

    4dddf0bfbb7fff60a92926426a0754e4

  • SHA1

    423f4f6b9c0805222b9577b52862af684030c002

  • SHA256

    f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

  • SHA512

    713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Score
10/10
diamondfoxbotnetransomwarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 5 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
    "C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:344

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/344-45-0x0000000005210000-0x0000000005211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-44-0x0000000004822000-0x0000000004823000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-56-0x0000000006180000-0x0000000006181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-46-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-40-0x0000000074290000-0x000000007497E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/344-41-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-42-0x0000000004860000-0x0000000004861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/344-43-0x0000000004820000-0x0000000004821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-20-0x00000000056B0000-0x00000000056B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-10-0x0000000004852000-0x0000000004853000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-21-0x0000000006120000-0x0000000006121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-15-0x0000000005620000-0x0000000005621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-12-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-11-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-28-0x0000000006200000-0x0000000006201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-9-0x0000000004850000-0x0000000004851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-8-0x0000000004890000-0x0000000004891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-7-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-6-0x0000000074260000-0x000000007494E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/896-30-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-29-0x00000000062D0000-0x00000000062D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/896-5-0x00000000765E1000-0x00000000765E3000-memory.dmp

    Filesize

    8KB

    Download