diamondfox | b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4

General

Target

b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
Size

190KB
MD5

2bc219ed6654653e817a2960ac924a7e
SHA1

c547d9c8ea50473b72c0b85672cf32ca5e9558b8
SHA256

b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4
SHA512

6edebb8ed8bae2f50b64f903b52f82385daca9a9f1b2e87b57deabe3e8da593f9aed1903c86fe8fc443e86f7645428f89a38e78e9e1d26da6d8af05594ed2752

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral2/memory/744-6-0x0000000003410000-0x0000000003428000-memory.dmp	diamondfox
behavioral2/memory/744-9-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

SearchIndexer.exe

pid process

4072 SearchIndexer.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4072	SearchIndexer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exePowershell.exe

pid	process
636	powershell.exe
636	powershell.exe
636	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
2588	Powershell.exe
2588	Powershell.exe
2588	Powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exePowershell.exe

description pid process

Token: SeDebugPrivilege 636 powershell.exe
Token: SeDebugPrivilege 2272 powershell.exe
Token: SeDebugPrivilege 2588 Powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exeSearchIndexer.exe

pid process

744 b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
4072 SearchIndexer.exe

description	pid	process
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2588	Powershell.exe

pid	process
744	b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
4072	SearchIndexer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exepowershell.exeSearchIndexer.exe

description	pid	process	target process
PID 744 wrote to memory of 636	744	b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe	powershell.exe
PID 744 wrote to memory of 636	744	b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe	powershell.exe
PID 744 wrote to memory of 636	744	b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe	powershell.exe
PID 636 wrote to memory of 4072	636	powershell.exe	SearchIndexer.exe
PID 636 wrote to memory of 4072	636	powershell.exe	SearchIndexer.exe
PID 636 wrote to memory of 4072	636	powershell.exe	SearchIndexer.exe
PID 4072 wrote to memory of 2272	4072	SearchIndexer.exe	powershell.exe
PID 4072 wrote to memory of 2272	4072	SearchIndexer.exe	powershell.exe
PID 4072 wrote to memory of 2272	4072	SearchIndexer.exe	powershell.exe
PID 4072 wrote to memory of 2588	4072	SearchIndexer.exe	Powershell.exe
PID 4072 wrote to memory of 2588	4072	SearchIndexer.exe	Powershell.exe
PID 4072 wrote to memory of 2588	4072	SearchIndexer.exe	Powershell.exe

C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe
"C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe
MD5
2bc219ed6654653e817a2960ac924a7e

SHA1
c547d9c8ea50473b72c0b85672cf32ca5e9558b8

SHA256
b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4

SHA512
6edebb8ed8bae2f50b64f903b52f82385daca9a9f1b2e87b57deabe3e8da593f9aed1903c86fe8fc443e86f7645428f89a38e78e9e1d26da6d8af05594ed2752

Download Submit
C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe
MD5
2bc219ed6654653e817a2960ac924a7e

SHA1
c547d9c8ea50473b72c0b85672cf32ca5e9558b8

SHA256
b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4

SHA512
6edebb8ed8bae2f50b64f903b52f82385daca9a9f1b2e87b57deabe3e8da593f9aed1903c86fe8fc443e86f7645428f89a38e78e9e1d26da6d8af05594ed2752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
269e1ceb4dd8990a7d78e18f550a7869

SHA1
93453d0d403c93c14433911077cc7fe6725f550e

SHA256
fbf3ae6a884c5a477aadb9b8c2bc6bec0b3b0f801574bd3f7b89432ec530d0d2

SHA512
f8dc821b82a3a4d4301dff3285c73d8139744082a43de80e80561b1bb99572b80e56ac9b73cfc392808b3a44eb3634fb7e16bb7e0238e094d4953192edb8d596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3915dc6cc01d82bb7546d4e2089c9c0

SHA1
b2a7ba7907e965a2114663334455e9169df0ca9a

SHA256
b06380d5316922b1547a183caba29487249516474af932e6cd94956044233290

SHA512
677e08a50e8fca6f1f819e7786ac2d909c160c1d05d7f66b208e98ae6e6cdad6edbc36bbdd7addd6e89b7896a1932f59e31a26e9715ff3db25259206911ea838

Download Submit
memory/636-17-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/636-25-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/636-12-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/636-13-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/636-14-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/636-15-0x0000000007452000-0x0000000007453000-memory.dmp

Filesize
4KB

Download
memory/636-16-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/636-11-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/636-18-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/636-19-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/636-20-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/636-21-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/636-22-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/636-23-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/636-24-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/636-31-0x0000000007453000-0x0000000007454000-memory.dmp

Filesize
4KB

Download
memory/636-26-0x000000000A150000-0x000000000A151000-memory.dmp

Filesize
4KB

Download
memory/636-27-0x000000000ACD0000-0x000000000ACD1000-memory.dmp

Filesize
4KB

Download
memory/636-10-0x0000000000000000-mapping.dmp

Download
memory/744-6-0x0000000003410000-0x0000000003428000-memory.dmp

Filesize
96KB

Download
memory/744-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/744-4-0x0000000000400000-0x0000000002FA5000-memory.dmp

Filesize
43.6MB

Download
memory/744-2-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/744-3-0x00000000031E0000-0x000000000320C000-memory.dmp

Filesize
176KB

Download
memory/744-5-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2272-58-0x0000000002903000-0x0000000002904000-memory.dmp

Filesize
4KB

Download
memory/2272-40-0x0000000000000000-mapping.dmp

Download
memory/2272-42-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-48-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2272-50-0x0000000002902000-0x0000000002903000-memory.dmp

Filesize
4KB

Download
memory/2272-49-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/2272-53-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/2588-59-0x0000000000000000-mapping.dmp

Download
memory/2588-81-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/2588-88-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/2588-60-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-63-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2588-64-0x0000000004262000-0x0000000004263000-memory.dmp

Filesize
4KB

Download
memory/2588-68-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/2588-86-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/2588-71-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/2588-74-0x0000000008BA0000-0x0000000008BD3000-memory.dmp

Filesize
204KB

Download
memory/2588-84-0x0000000004263000-0x0000000004264000-memory.dmp

Filesize
4KB

Download
memory/2588-82-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

Filesize
4KB

Download
memory/2588-83-0x000000007EAE0000-0x000000007EAE1000-memory.dmp

Filesize
4KB

Download
memory/4072-35-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/4072-28-0x0000000000000000-mapping.dmp

Download
memory/4072-32-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads