diamondfox | 9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

Analysis

max time kernel
132s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
28/05/2021, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
Size

459KB
MD5

195eecffa8cb3f26eb11eb4aa379eaf6
SHA1

88feb6f6d975581a680e07bd9f421167b6a852d1
SHA256

9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f
SHA512

03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 5 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/2236-126-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/2236-127-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/2236-128-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/3736-177-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/3736-180-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

pid	Process
3912	MicrosoftEdgeCPS.exe
3736	MicrosoftEdgeCPS.exe
2156	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

pid	Process
3940	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 3912 set thread context of 3736	3912	MicrosoftEdgeCPS.exe	83

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
3912	MicrosoftEdgeCPS.exe
3912	MicrosoftEdgeCPS.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3912	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	79
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	80
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	80
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	80
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	81
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	81
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	81
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	83
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	84
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	84
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	84
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	85
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	85
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:2156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe' -Force -Recurse
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-116-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1736-118-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1736-120-0x0000000005AC0000-0x0000000005AC4000-memory.dmp

Filesize
16KB

Download
memory/1736-119-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1736-114-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1736-117-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1736-125-0x0000000005C30000-0x0000000005C47000-memory.dmp

Filesize
92KB

Download
memory/2056-204-0x0000000006623000-0x0000000006624000-memory.dmp

Filesize
4KB

Download
memory/2056-202-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/2056-203-0x0000000006622000-0x0000000006623000-memory.dmp

Filesize
4KB

Download
memory/2156-201-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2236-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-151-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3940-147-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/3940-173-0x0000000006613000-0x0000000006614000-memory.dmp

Filesize
4KB

Download
memory/3940-168-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/3940-167-0x0000000008CB0000-0x0000000008CB1000-memory.dmp

Filesize
4KB

Download
memory/3940-162-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/3940-161-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/3940-156-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3940-155-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3940-154-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/3940-153-0x0000000006612000-0x0000000006613000-memory.dmp

Filesize
4KB

Download
memory/3940-152-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/3940-150-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3940-149-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3940-148-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3940-141-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3940-140-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download