diamondfox | 9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

Analysis

max time kernel
137s
max time network
55s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup579.exe
Size

459KB
MD5

195eecffa8cb3f26eb11eb4aa379eaf6
SHA1

88feb6f6d975581a680e07bd9f421167b6a852d1
SHA256

9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f
SHA512

03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 5 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral2/memory/636-126-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/636-127-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/636-128-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/3304-178-0x0000000000401000-mapping.dmp	diamondfox
behavioral2/memory/3304-180-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 4 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

996 MicrosoftEdgeCPS.exe
3240 MicrosoftEdgeCPS.exe
3304 MicrosoftEdgeCPS.exe
4340 MicrosoftEdgeCPS.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

860 powershell.exe

pid	process
996	MicrosoftEdgeCPS.exe
3240	MicrosoftEdgeCPS.exe
3304	MicrosoftEdgeCPS.exe
4340	MicrosoftEdgeCPS.exe

pid	process
860	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ccsetup579.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 4804 set thread context of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 996 set thread context of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ccsetup579.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

pid	process
4804	ccsetup579.exe
4804	ccsetup579.exe
860	powershell.exe
860	powershell.exe
860	powershell.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
996	MicrosoftEdgeCPS.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ccsetup579.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4804	ccsetup579.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	996	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	3484	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ccsetup579.execcsetup579.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 4804 wrote to memory of 636	4804	ccsetup579.exe	ccsetup579.exe
PID 636 wrote to memory of 996	636	ccsetup579.exe	MicrosoftEdgeCPS.exe
PID 636 wrote to memory of 996	636	ccsetup579.exe	MicrosoftEdgeCPS.exe
PID 636 wrote to memory of 996	636	ccsetup579.exe	MicrosoftEdgeCPS.exe
PID 636 wrote to memory of 860	636	ccsetup579.exe	powershell.exe
PID 636 wrote to memory of 860	636	ccsetup579.exe	powershell.exe
PID 636 wrote to memory of 860	636	ccsetup579.exe	powershell.exe
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3240	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 996 wrote to memory of 3304	996	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3304 wrote to memory of 4340	3304	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	powershell.exe
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	powershell.exe
PID 3304 wrote to memory of 3484	3304	MicrosoftEdgeCPS.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
4⤵
- Executes dropped EXE
PID:3240

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
5⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ccsetup579.exe' -Force -Recurse
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MicrosoftEdgeCPS.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
224eab1ee8f8bbf6b4683fb79b6055d1

SHA1
33cd2fdabbbc241411b813a9a27004ac36e750c1

SHA256
9adb51554502af88dcce67501fcf525760236a704332e44775d00cd132c23032

SHA512
8b2cfe4959f86f2f67e64d98c44ffd8bb8f9fc04a3a7cad4b8a07d313efb5269ee6986d13c7cfe08e9867bcd70f486c9e60880e78b0d15ab788d4b2075d049a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4b24ecd19cf67446916fa2ebeebde812

SHA1
272f4079cc50ba119a3ad0d6fe55c9acb5be94b3

SHA256
9a1130d6b27b525f4c2e8f154b983cf0efe7c1ea4333a90441461935f3b5b1c9

SHA512
74c367c48b1b98163d5b0fe2cad046cad74fa1a76878070787ef165bd288b2da28494dc3530d6a5d9bc1433bb2ec270b8a985e7c4dcaacccec12312d05f7fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
195eecffa8cb3f26eb11eb4aa379eaf6

SHA1
88feb6f6d975581a680e07bd9f421167b6a852d1

SHA256
9a5565b8e591a7bda1d7a8824c67e37c36933e056fba84c5e454ebd90d1b248f

SHA512
03b41c14b68990bead4a75fa35682b7c48ee97fb31d05d2f678d59826b66ea3b1211fb7ee3bffb0ba9c2ffe514ee78503674db25a49726717c160f3bc3b21f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\pidgin\pidgin.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/636-127-0x0000000000401000-mapping.dmp

Download
memory/636-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/636-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/860-167-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/860-132-0x0000000000000000-mapping.dmp

Download
memory/860-145-0x00000000010C2000-0x00000000010C3000-memory.dmp

Filesize
4KB

Download
memory/860-144-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/860-147-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/860-150-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/860-151-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/860-152-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/860-153-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/860-154-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/860-155-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/860-156-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/860-161-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/860-162-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/860-140-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/860-168-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/860-173-0x00000000010C3000-0x00000000010C4000-memory.dmp

Filesize
4KB

Download
memory/996-129-0x0000000000000000-mapping.dmp

Download
memory/996-142-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3304-178-0x0000000000401000-mapping.dmp

Download
memory/3304-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3484-205-0x0000000006713000-0x0000000006714000-memory.dmp

Filesize
4KB

Download
memory/3484-203-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/3484-201-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/3484-183-0x0000000000000000-mapping.dmp

Download
memory/4340-198-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4340-182-0x0000000000000000-mapping.dmp

Download
memory/4804-114-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4804-118-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4804-117-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4804-119-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4804-120-0x0000000005590000-0x0000000005594000-memory.dmp

Filesize
16KB

Download
memory/4804-116-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4804-125-0x0000000006D80000-0x0000000006D97000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads