diamondfox | 9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

Analysis

max time kernel
137s
max time network
55s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup579.exe
Size

459KB
MD5

195eecffa8cb3f26eb11eb4aa379eaf6
SHA1

88feb6f6d975581a680e07bd9f421167b6a852d1
SHA256

9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f
SHA512

03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 5 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/636-126-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/636-127-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/636-128-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/3304-178-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/3304-180-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 4 IoCs

pid	Process
996	MicrosoftEdgeCPS.exe
3240	MicrosoftEdgeCPS.exe
3304	MicrosoftEdgeCPS.exe
4340	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

pid	Process
860	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4804 set thread context of 636	4804	ccsetup579.exe	78
PID 996 set thread context of 3304	996	MicrosoftEdgeCPS.exe	83

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4804	ccsetup579.exe
4804	ccsetup579.exe
860	powershell.exe
860	powershell.exe
860	powershell.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	ccsetup579.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	996	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	3484	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	78
PID 636 wrote to memory of 996	636	ccsetup579.exe	79
PID 636 wrote to memory of 996	636	ccsetup579.exe	79
PID 636 wrote to memory of 996	636	ccsetup579.exe	79
PID 636 wrote to memory of 860	636	ccsetup579.exe	80
PID 636 wrote to memory of 860	636	ccsetup579.exe	80
PID 636 wrote to memory of 860	636	ccsetup579.exe	80
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	82
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	82
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	82
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	83
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	84
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	84
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	84
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	85
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	85
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	85

C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
  C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:4340
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe' -Force -Recurse
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/636-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/860-167-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/860-145-0x00000000010C2000-0x00000000010C3000-memory.dmp

Filesize
4KB

Download
memory/860-144-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/860-147-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/860-150-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/860-151-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/860-152-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/860-153-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/860-154-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/860-155-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/860-156-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/860-161-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/860-162-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/860-140-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/860-168-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/860-173-0x00000000010C3000-0x00000000010C4000-memory.dmp

Filesize
4KB

Download
memory/996-142-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3304-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3484-205-0x0000000006713000-0x0000000006714000-memory.dmp

Filesize
4KB

Download
memory/3484-203-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/3484-201-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/4340-198-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4804-114-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4804-118-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4804-117-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4804-119-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4804-120-0x0000000005590000-0x0000000005594000-memory.dmp

Filesize
16KB

Download
memory/4804-116-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4804-125-0x0000000006D80000-0x0000000006D97000-memory.dmp

Filesize
92KB

Download