Overview

overview

10

Static

static

10

f24b905fb5...88.exe

windows7_x64

10

f24b905fb5...88.exe

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22/01/2021, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe

  • Size

    90KB

  • MD5

    4dddf0bfbb7fff60a92926426a0754e4

  • SHA1

    423f4f6b9c0805222b9577b52862af684030c002

  • SHA256

    f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788

  • SHA512

    713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744

Score
10/10
diamondfoxbotnetransomwarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe
    "C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788.exe' -Destination 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe
        "C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xdaeitx\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/564-20-0x0000000009E10000-0x0000000009E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-18-0x00000000094F0000-0x00000000094F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-11-0x0000000004D40000-0x0000000004D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-12-0x0000000008190000-0x0000000008191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-13-0x0000000004D42000-0x0000000004D43000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-14-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-15-0x0000000008670000-0x0000000008671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-16-0x0000000008860000-0x0000000008861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-17-0x0000000009850000-0x0000000009851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-10-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-19-0x0000000009570000-0x0000000009571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-21-0x000000000A990000-0x000000000A991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-5-0x0000000073810000-0x0000000073EFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/564-9-0x0000000007E70000-0x0000000007E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-8-0x0000000007690000-0x0000000007691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-27-0x0000000004D43000-0x0000000004D44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-6-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/564-7-0x0000000007750000-0x0000000007751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-30-0x00000000739C0000-0x00000000740AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3232-36-0x00000000074F0000-0x00000000074F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-37-0x0000000004220000-0x0000000004221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-38-0x0000000004222000-0x0000000004223000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-41-0x0000000007B40000-0x0000000007B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-46-0x0000000004223000-0x0000000004224000-memory.dmp

    Filesize

    4KB

    Download