diamondfox | 71c7eb818509ce499f6f870cd785d5b215a264e2d28e9606b1ba6b955bd2b9d4

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
09/02/2021, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1B59.tmp.bin.exe
Size

376KB
MD5

160844e5811ca8258e61cf44bf8587e5
SHA1

215bfc756f944e36c53e73e4be99c68b8d36df04
SHA256

f0498105de4bca70065bac976d8da9cb153a174dedbf0e3d932abae2eb94f152
SHA512

e92082ad2a68292622c2cff0ea7d77e034c1c4118947dcf6c3cf390aa21f03c0cd72602a41f896534af5cfec3087d6e0e7a1a9b6ce3f88a9d468ec910a0048a8

Score

10^/10

diamondfox botnet discovery ransomware spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/4696-3-0x0000000000400000-0x0000000002955000-memory.dmp	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4400-30-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral2/memory/4400-31-0x000000000044412E-mapping.dmp	MailPassView
behavioral2/memory/4400-33-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4496-16-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral2/memory/4496-17-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral2/memory/4496-19-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral2/memory/4496-16-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/4496-17-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral2/memory/4496-19-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/4400-30-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/memory/4400-31-0x000000000044412E-mapping.dmp	Nirsoft
behavioral2/memory/4400-33-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/memory/1500-34-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/1500-35-0x000000000040190A-mapping.dmp	Nirsoft
behavioral2/memory/1500-37-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
4236	MicrosoftEdgeCPS.exe
4496	MicrosoftEdgeCPS.exe
196	MicrosoftEdgeCPS.exe
2312	MicrosoftEdgeCPS.exe
4400	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4236 set thread context of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 set thread context of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 set thread context of 2312	4236	MicrosoftEdgeCPS.exe	98
PID 4236 set thread context of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 set thread context of 1500	4236	MicrosoftEdgeCPS.exe	102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	2312	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4236	MicrosoftEdgeCPS.exe
4236	MicrosoftEdgeCPS.exe
4496	MicrosoftEdgeCPS.exe
4496	MicrosoftEdgeCPS.exe
4496	MicrosoftEdgeCPS.exe
4496	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	732	wmic.exe
Token: SeSecurityPrivilege	732	wmic.exe
Token: SeTakeOwnershipPrivilege	732	wmic.exe
Token: SeLoadDriverPrivilege	732	wmic.exe
Token: SeSystemProfilePrivilege	732	wmic.exe
Token: SeSystemtimePrivilege	732	wmic.exe
Token: SeProfSingleProcessPrivilege	732	wmic.exe
Token: SeIncBasePriorityPrivilege	732	wmic.exe
Token: SeCreatePagefilePrivilege	732	wmic.exe
Token: SeBackupPrivilege	732	wmic.exe
Token: SeRestorePrivilege	732	wmic.exe
Token: SeShutdownPrivilege	732	wmic.exe
Token: SeDebugPrivilege	732	wmic.exe
Token: SeSystemEnvironmentPrivilege	732	wmic.exe
Token: SeRemoteShutdownPrivilege	732	wmic.exe
Token: SeUndockPrivilege	732	wmic.exe
Token: SeManageVolumePrivilege	732	wmic.exe
Token: 33	732	wmic.exe
Token: 34	732	wmic.exe
Token: 35	732	wmic.exe
Token: 36	732	wmic.exe
Token: SeIncreaseQuotaPrivilege	732	wmic.exe
Token: SeSecurityPrivilege	732	wmic.exe
Token: SeTakeOwnershipPrivilege	732	wmic.exe
Token: SeLoadDriverPrivilege	732	wmic.exe
Token: SeSystemProfilePrivilege	732	wmic.exe
Token: SeSystemtimePrivilege	732	wmic.exe
Token: SeProfSingleProcessPrivilege	732	wmic.exe
Token: SeIncBasePriorityPrivilege	732	wmic.exe
Token: SeCreatePagefilePrivilege	732	wmic.exe
Token: SeBackupPrivilege	732	wmic.exe
Token: SeRestorePrivilege	732	wmic.exe
Token: SeShutdownPrivilege	732	wmic.exe
Token: SeDebugPrivilege	732	wmic.exe
Token: SeSystemEnvironmentPrivilege	732	wmic.exe
Token: SeRemoteShutdownPrivilege	732	wmic.exe
Token: SeUndockPrivilege	732	wmic.exe
Token: SeManageVolumePrivilege	732	wmic.exe
Token: 33	732	wmic.exe
Token: 34	732	wmic.exe
Token: 35	732	wmic.exe
Token: 36	732	wmic.exe
Token: SeIncreaseQuotaPrivilege	852	wmic.exe
Token: SeSecurityPrivilege	852	wmic.exe
Token: SeTakeOwnershipPrivilege	852	wmic.exe
Token: SeLoadDriverPrivilege	852	wmic.exe
Token: SeSystemProfilePrivilege	852	wmic.exe
Token: SeSystemtimePrivilege	852	wmic.exe
Token: SeProfSingleProcessPrivilege	852	wmic.exe
Token: SeIncBasePriorityPrivilege	852	wmic.exe
Token: SeCreatePagefilePrivilege	852	wmic.exe
Token: SeBackupPrivilege	852	wmic.exe
Token: SeRestorePrivilege	852	wmic.exe
Token: SeShutdownPrivilege	852	wmic.exe
Token: SeDebugPrivilege	852	wmic.exe
Token: SeSystemEnvironmentPrivilege	852	wmic.exe
Token: SeRemoteShutdownPrivilege	852	wmic.exe
Token: SeUndockPrivilege	852	wmic.exe
Token: SeManageVolumePrivilege	852	wmic.exe
Token: 33	852	wmic.exe
Token: 34	852	wmic.exe
Token: 35	852	wmic.exe
Token: 36	852	wmic.exe
Token: SeIncreaseQuotaPrivilege	852	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
196	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4236	4696	1B59.tmp.bin.exe	78
PID 4696 wrote to memory of 4236	4696	1B59.tmp.bin.exe	78
PID 4696 wrote to memory of 4236	4696	1B59.tmp.bin.exe	78
PID 4236 wrote to memory of 732	4236	MicrosoftEdgeCPS.exe	79
PID 4236 wrote to memory of 732	4236	MicrosoftEdgeCPS.exe	79
PID 4236 wrote to memory of 732	4236	MicrosoftEdgeCPS.exe	79
PID 4236 wrote to memory of 852	4236	MicrosoftEdgeCPS.exe	81
PID 4236 wrote to memory of 852	4236	MicrosoftEdgeCPS.exe	81
PID 4236 wrote to memory of 852	4236	MicrosoftEdgeCPS.exe	81
PID 4236 wrote to memory of 1760	4236	MicrosoftEdgeCPS.exe	84
PID 4236 wrote to memory of 1760	4236	MicrosoftEdgeCPS.exe	84
PID 4236 wrote to memory of 1760	4236	MicrosoftEdgeCPS.exe	84
PID 4236 wrote to memory of 2068	4236	MicrosoftEdgeCPS.exe	86
PID 4236 wrote to memory of 2068	4236	MicrosoftEdgeCPS.exe	86
PID 4236 wrote to memory of 2068	4236	MicrosoftEdgeCPS.exe	86
PID 4236 wrote to memory of 2504	4236	MicrosoftEdgeCPS.exe	88
PID 4236 wrote to memory of 2504	4236	MicrosoftEdgeCPS.exe	88
PID 4236 wrote to memory of 2504	4236	MicrosoftEdgeCPS.exe	88
PID 4236 wrote to memory of 3048	4236	MicrosoftEdgeCPS.exe	90
PID 4236 wrote to memory of 3048	4236	MicrosoftEdgeCPS.exe	90
PID 4236 wrote to memory of 3048	4236	MicrosoftEdgeCPS.exe	90
PID 4236 wrote to memory of 4052	4236	MicrosoftEdgeCPS.exe	92
PID 4236 wrote to memory of 4052	4236	MicrosoftEdgeCPS.exe	92
PID 4236 wrote to memory of 4052	4236	MicrosoftEdgeCPS.exe	92
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 4496	4236	MicrosoftEdgeCPS.exe	95
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 196	4236	MicrosoftEdgeCPS.exe	97
PID 4236 wrote to memory of 2312	4236	MicrosoftEdgeCPS.exe	98
PID 4236 wrote to memory of 2312	4236	MicrosoftEdgeCPS.exe	98
PID 4236 wrote to memory of 2312	4236	MicrosoftEdgeCPS.exe	98
PID 4236 wrote to memory of 2312	4236	MicrosoftEdgeCPS.exe	98
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 4400	4236	MicrosoftEdgeCPS.exe	101
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102
PID 4236 wrote to memory of 1500	4236	MicrosoftEdgeCPS.exe	102

C:\Users\Admin\AppData\Local\Temp\1B59.tmp.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1B59.tmp.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" os get caption /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get caption /FORMAT:List
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get StatusCode /FORMAT:List
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get ResponseTime /FORMAT:List
    3⤵
    PID:4052
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4496
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:196
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\2.log"
    3⤵
    - Executes dropped EXE
    PID:2312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 88
      4⤵
      Program crash
      PID:2820
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\3.log"
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /VisitTimeFilterType 2 /VisitTimeFilterValue 6 /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\6.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-21-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/196-26-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1500-34-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1500-37-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2820-29-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/4236-7-0x0000000004630000-0x0000000006B85000-memory.dmp

Filesize
37.3MB

Download
memory/4400-30-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4400-33-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4496-19-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4496-16-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4696-2-0x0000000004890000-0x0000000006DE5000-memory.dmp

Filesize
37.3MB

Download
memory/4696-3-0x0000000000400000-0x0000000002955000-memory.dmp

Filesize
37.3MB

Download