diamondfox | f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

General

Target

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
Size

90KB
MD5

4dddf0bfbb7fff60a92926426a0754e4
SHA1

423f4f6b9c0805222b9577b52862af684030c002
SHA256

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788
SHA512

713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Score

10^/10

diamondfox botnet ransomware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe	diamondfox

Executes dropped EXE 1 IoCs

Processes:

atiedxx.exe

pid process

3912 atiedxx.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

564 powershell.exe
564 powershell.exe
564 powershell.exe
3232 powershell.exe
3232 powershell.exe
3232 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 564 powershell.exe
Token: SeDebugPrivilege 3232 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exeatiedxx.exe

pid process

1056 f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
3912 atiedxx.exe

pid	process
3912	atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk	powershell.exe

pid	process
564	powershell.exe
564	powershell.exe
564	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe

description	pid	process
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe

pid	process
1056	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
3912	atiedxx.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exepowershell.exeatiedxx.exe

description	pid	process	target process
PID 1056 wrote to memory of 564	1056	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 1056 wrote to memory of 564	1056	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 1056 wrote to memory of 564	1056	f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe	powershell.exe
PID 564 wrote to memory of 3912	564	powershell.exe	atiedxx.exe
PID 564 wrote to memory of 3912	564	powershell.exe	atiedxx.exe
PID 564 wrote to memory of 3912	564	powershell.exe	atiedxx.exe
PID 3912 wrote to memory of 3232	3912	atiedxx.exe	powershell.exe
PID 3912 wrote to memory of 3232	3912	atiedxx.exe	powershell.exe
PID 3912 wrote to memory of 3232	3912	atiedxx.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
"C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
"C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dd539e769b912111ff50ccda119da000

SHA1
ef7414663897f7060432b8e0562b4e21d97b0fb7

SHA256
f16cc9036f2ec1ceebe70cc9f2045345e163124df5f471f8f586149010221f6e

SHA512
3b0a598ae0ff6b9df6faba84df7560bb4eb5a548893ea1f217b90a41669422ef70324cdfde698d4dcbaf5599c55fba0dbf6271eafe3430291ae77371da62088f

Download Submit
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
MD5
4dddf0bfbb7fff60a92926426a0754e4

SHA1
423f4f6b9c0805222b9577b52862af684030c002

SHA256
f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

SHA512
713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Download Submit
memory/564-20-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/564-18-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/564-11-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/564-12-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/564-13-0x0000000004D42000-0x0000000004D43000-memory.dmp

Filesize
4KB

Download
memory/564-14-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/564-15-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/564-16-0x0000000008860000-0x0000000008861000-memory.dmp

Filesize
4KB

Download
memory/564-17-0x0000000009850000-0x0000000009851000-memory.dmp

Filesize
4KB

Download
memory/564-10-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/564-19-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/564-4-0x0000000000000000-mapping.dmp

Download
memory/564-21-0x000000000A990000-0x000000000A991000-memory.dmp

Filesize
4KB

Download
memory/564-5-0x0000000073810000-0x0000000073EFE000-memory.dmp

Filesize
6.9MB

Download
memory/564-9-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/564-8-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/564-27-0x0000000004D43000-0x0000000004D44000-memory.dmp

Filesize
4KB

Download
memory/564-6-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/564-7-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/3232-30-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/3232-36-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/3232-37-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/3232-38-0x0000000004222000-0x0000000004223000-memory.dmp

Filesize
4KB

Download
memory/3232-28-0x0000000000000000-mapping.dmp

Download
memory/3232-41-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/3232-46-0x0000000004223000-0x0000000004224000-memory.dmp

Filesize
4KB

Download
memory/3912-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing