Overview

overview

10

Static

static

b526619f97...in.exe

windows7_x64

10

b526619f97...in.exe

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    06/04/2021, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe

  • Size

    190KB

  • MD5

    2bc219ed6654653e817a2960ac924a7e

  • SHA1

    c547d9c8ea50473b72c0b85672cf32ca5e9558b8

  • SHA256

    b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4

  • SHA512

    6edebb8ed8bae2f50b64f903b52f82385daca9a9f1b2e87b57deabe3e8da593f9aed1903c86fe8fc443e86f7645428f89a38e78e9e1d26da6d8af05594ed2752

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1952
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1036-8-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1036-7-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1036-2-0x0000000003230000-0x0000000003241000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1036-4-0x0000000000400000-0x0000000002FA5000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/1036-3-0x0000000000220000-0x000000000024C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1620-41-0x0000000003130000-0x0000000003141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1784-26-0x00000000060D0000-0x00000000060D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-17-0x0000000002520000-0x0000000002521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-35-0x0000000006280000-0x0000000006281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-11-0x00000000760F1000-0x00000000760F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1784-12-0x0000000074570000-0x0000000074C5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1784-13-0x0000000001E70000-0x0000000001E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-14-0x0000000004760000-0x0000000004761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-15-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-16-0x0000000002602000-0x0000000002603000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-36-0x00000000062D0000-0x00000000062D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-28-0x00000000061F0000-0x00000000061F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-27-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-21-0x0000000006090000-0x0000000006091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-18-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-59-0x0000000004920000-0x0000000004921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-56-0x0000000004A00000-0x0000000004A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-57-0x0000000004A02000-0x0000000004A03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-55-0x0000000004A40000-0x0000000004A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-69-0x00000000062D0000-0x00000000062D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-54-0x0000000002450000-0x0000000002451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-53-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1952-58-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-77-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-75-0x0000000073860000-0x0000000073F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2024-76-0x0000000001E90000-0x0000000001E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-78-0x0000000002610000-0x0000000002611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-79-0x0000000004A80000-0x0000000004A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-80-0x0000000004A82000-0x0000000004A83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-81-0x0000000004890000-0x0000000004891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-82-0x00000000056F0000-0x00000000056F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-85-0x0000000005750000-0x0000000005751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-97-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-98-0x0000000006280000-0x0000000006281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-99-0x0000000006290000-0x0000000006291000-memory.dmp

    Filesize

    4KB

    Download