diamondfox | f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
Size

90KB
MD5

4dddf0bfbb7fff60a92926426a0754e4
SHA1

423f4f6b9c0805222b9577b52862af684030c002
SHA256

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788
SHA512

713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Score

10^/10

diamondfox botnet ransomware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 5 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox

Executes dropped EXE 1 IoCs

Processes:

atiedxx.exe

pid process

564 atiedxx.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

896 powershell.exe
896 powershell.exe
344 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
564	atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk	powershell.exe

pid	process
896	powershell.exe
896	powershell.exe
344	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	atiedxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	atiedxx.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

896 powershell.exe
896 powershell.exe
344 powershell.exe
344 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 896 powershell.exe
Token: SeDebugPrivilege 344 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exeatiedxx.exe

pid process

792 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
564 atiedxx.exe

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
896	powershell.exe
896	powershell.exe
344	powershell.exe
344	powershell.exe

description	pid	process
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe

pid	process
792	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
564	atiedxx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exepowershell.exeatiedxx.exe

description	pid	process	target process
PID 792 wrote to memory of 896	792	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 792 wrote to memory of 896	792	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 792 wrote to memory of 896	792	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 792 wrote to memory of 896	792	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 896 wrote to memory of 564	896	powershell.exe	atiedxx.exe
PID 896 wrote to memory of 564	896	powershell.exe	atiedxx.exe
PID 896 wrote to memory of 564	896	powershell.exe	atiedxx.exe
PID 896 wrote to memory of 564	896	powershell.exe	atiedxx.exe
PID 564 wrote to memory of 344	564	atiedxx.exe	powershell.exe
PID 564 wrote to memory of 344	564	atiedxx.exe	powershell.exe
PID 564 wrote to memory of 344	564	atiedxx.exe	powershell.exe
PID 564 wrote to memory of 344	564	atiedxx.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
"C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
"C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5aa6ef99cdd3f9d0a40fd99c7db9dcb4

SHA1
034c74121b2c822db03f61921d9d0d242a09d7ee

SHA256
9f4965588cd8fdbe33b83fa863104fb8719a935c9bdfa5edcd5dc16220708533

SHA512
657ee492d972c3f0ed507ba714da8bd3201e7ceab45e80fa79b5f03c2835ffdc76698480b56fa0064b5b2f4f42d6279139005bb38439f43d0a06dccdd03cad75

Download Submit
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
41c5703f9a758c7fc06d28a57dfe13d8

SHA1
2eafc3754f9f4e48f5ed4996d75370b94110d0bd

SHA256
1d9479d5102cebd88d36bc2f49b5542c33d6754d7cfb5e3c8d307cc801b635dc

SHA512
c14ff31fa4b9f0d59c36affafb162dbd0a38f2d7cbc12dbcc0c8e1517c48184e5330f626e3b6bf564ca114b6f9a54cd84bfd839ba9996193d17cb8382b2f965c

Download Submit
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
memory/344-45-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/344-44-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/344-56-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/344-37-0x0000000000000000-mapping.dmp

Download
memory/344-46-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/344-40-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/344-41-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/344-42-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/344-43-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/564-33-0x0000000000000000-mapping.dmp

Download
memory/896-20-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/896-10-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/896-4-0x0000000000000000-mapping.dmp

Download
memory/896-21-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/896-15-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/896-12-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/896-11-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/896-28-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/896-9-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/896-8-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/896-7-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/896-6-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/896-30-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/896-29-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/896-5-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download