diamondfox | 9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

Analysis

max time kernel
132s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
Size

459KB
MD5

195eecffa8cb3f26eb11eb4aa379eaf6
SHA1

88feb6f6d975581a680e07bd9f421167b6a852d1
SHA256

9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f
SHA512

03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 5 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral2/memory/2236-126-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/2236-127-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/2236-128-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/3736-177-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/3736-180-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

3912 MicrosoftEdgeCPS.exe
3736 MicrosoftEdgeCPS.exe
2156 MicrosoftEdgeCPS.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3940 powershell.exe

pid	process
3912	MicrosoftEdgeCPS.exe
3736	MicrosoftEdgeCPS.exe
2156	MicrosoftEdgeCPS.exe

pid	process
3940	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Malware.AI.637444914.182.16712.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1736 set thread context of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 3912 set thread context of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SecuriteInfo.com.Malware.AI.637444914.182.16712.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

pid	process
1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
3912	MicrosoftEdgeCPS.exe
3912	MicrosoftEdgeCPS.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Malware.AI.637444914.182.16712.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3912	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SecuriteInfo.com.Malware.AI.637444914.182.16712.exeSecuriteInfo.com.Malware.AI.637444914.182.16712.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 1736 wrote to memory of 2236	1736	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	MicrosoftEdgeCPS.exe
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	MicrosoftEdgeCPS.exe
PID 2236 wrote to memory of 3912	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	MicrosoftEdgeCPS.exe
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	powershell.exe
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	powershell.exe
PID 2236 wrote to memory of 3940	2236	SecuriteInfo.com.Malware.AI.637444914.182.16712.exe	powershell.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3912 wrote to memory of 3736	3912	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3736 wrote to memory of 2156	3736	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	powershell.exe
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	powershell.exe
PID 3736 wrote to memory of 2056	3736	MicrosoftEdgeCPS.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
5⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Malware.AI.637444914.182.16712.exe' -Force -Recurse
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MicrosoftEdgeCPS.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
224eab1ee8f8bbf6b4683fb79b6055d1

SHA1
33cd2fdabbbc241411b813a9a27004ac36e750c1

SHA256
9adb51554502af88dcce67501fcf525760236a704332e44775d00cd132c23032

SHA512
8b2cfe4959f86f2f67e64d98c44ffd8bb8f9fc04a3a7cad4b8a07d313efb5269ee6986d13c7cfe08e9867bcd70f486c9e60880e78b0d15ab788d4b2075d049a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9755cc52d827913cecf7d04f04022c1a

SHA1
8332a71a56c35bb3cc5078f598f408e0807a66d2

SHA256
863bc2216f4aa2ea760e02a7a6e788718784941ce4a5fbfdafe410df11560400

SHA512
16721d8e4b07f64e9742431d581b5da3f718873129c602de34acd5d3985838ea54582287204440605d307a25b5fba24b8d186255da59155f7811eb8268182f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\pidgin\pidgin.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
memory/1736-116-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1736-118-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1736-120-0x0000000005AC0000-0x0000000005AC4000-memory.dmp

Filesize
16KB

Download
memory/1736-119-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1736-114-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1736-117-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1736-125-0x0000000005C30000-0x0000000005C47000-memory.dmp

Filesize
92KB

Download
memory/2056-182-0x0000000000000000-mapping.dmp

Download
memory/2056-204-0x0000000006623000-0x0000000006624000-memory.dmp

Filesize
4KB

Download
memory/2056-202-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/2056-203-0x0000000006622000-0x0000000006623000-memory.dmp

Filesize
4KB

Download
memory/2156-181-0x0000000000000000-mapping.dmp

Download
memory/2156-201-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2236-127-0x0000000000401000-mapping.dmp

Download
memory/2236-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-177-0x0000000000401000-mapping.dmp

Download
memory/3912-151-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3912-129-0x0000000000000000-mapping.dmp

Download
memory/3940-147-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/3940-173-0x0000000006613000-0x0000000006614000-memory.dmp

Filesize
4KB

Download
memory/3940-168-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/3940-167-0x0000000008CB0000-0x0000000008CB1000-memory.dmp

Filesize
4KB

Download
memory/3940-162-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/3940-161-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/3940-156-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3940-155-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3940-154-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/3940-153-0x0000000006612000-0x0000000006613000-memory.dmp

Filesize
4KB

Download
memory/3940-152-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/3940-150-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3940-149-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3940-148-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3940-141-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3940-140-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3940-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads