Overview

overview

10

Static

static

b526619f97...in.exe

windows7_x64

10

b526619f97...in.exe

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06/04/2021, 13:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe

  • Size

    190KB

  • MD5

    2bc219ed6654653e817a2960ac924a7e

  • SHA1

    c547d9c8ea50473b72c0b85672cf32ca5e9558b8

  • SHA256

    b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4

  • SHA512

    6edebb8ed8bae2f50b64f903b52f82385daca9a9f1b2e87b57deabe3e8da593f9aed1903c86fe8fc443e86f7645428f89a38e78e9e1d26da6d8af05594ed2752

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\b526619f97cfcfb709fb1684d01e82b6511bb9e2eab52570f39b7498dccbedf4.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\InSecharex\SearchIndexer.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2272
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2588

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/636-17-0x00000000081B0000-0x00000000081B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-25-0x00000000098C0000-0x00000000098C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-12-0x0000000007320000-0x0000000007321000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-13-0x0000000007A90000-0x0000000007A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-14-0x0000000007450000-0x0000000007451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-15-0x0000000007452000-0x0000000007453000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-16-0x00000000079B0000-0x00000000079B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-11-0x0000000073C40000-0x000000007432E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/636-18-0x0000000008140000-0x0000000008141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-19-0x0000000008400000-0x0000000008401000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-20-0x00000000082E0000-0x00000000082E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-21-0x0000000008890000-0x0000000008891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-22-0x0000000008B00000-0x0000000008B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-23-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-24-0x0000000009870000-0x0000000009871000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-31-0x0000000007453000-0x0000000007454000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-26-0x000000000A150000-0x000000000A151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-27-0x000000000ACD0000-0x000000000ACD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/744-6-0x0000000003410000-0x0000000003428000-memory.dmp

          Filesize

          96KB

          Download

        • memory/744-9-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/744-4-0x0000000000400000-0x0000000002FA5000-memory.dmp

          Filesize

          43.6MB

          Download

        • memory/744-2-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

          Download

        • memory/744-3-0x00000000031E0000-0x000000000320C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/744-5-0x0000000003570000-0x0000000003571000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2272-58-0x0000000002903000-0x0000000002904000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2272-42-0x0000000073340000-0x0000000073A2E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2272-48-0x0000000002900000-0x0000000002901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2272-50-0x0000000002902000-0x0000000002903000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2272-49-0x0000000007660000-0x0000000007661000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2272-53-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-81-0x0000000008B80000-0x0000000008B81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-88-0x0000000006900000-0x0000000006901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-60-0x0000000073260000-0x000000007394E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2588-63-0x0000000004260000-0x0000000004261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-64-0x0000000004262000-0x0000000004263000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-68-0x0000000007680000-0x0000000007681000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-86-0x0000000006910000-0x0000000006911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-71-0x0000000008000000-0x0000000008001000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-74-0x0000000008BA0000-0x0000000008BD3000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2588-84-0x0000000004263000-0x0000000004264000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-82-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-83-0x000000007EAE0000-0x000000007EAE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4072-35-0x0000000003720000-0x0000000003721000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4072-32-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download