diamondfox | 7f60e7e84d3c41ba78df6718bf8b3e41af626956e56f9e98ca5a370f6ef7f53c

General

Target

54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
Size

1.5MB
MD5

d04da71fa3ec4f986aebf533c7f500cd
SHA1

351792c9d94e6fefc9ba91a12d1a220eb28eb7b7
SHA256

54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02
SHA512

713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral1/memory/2772-61-0x0000000000400000-0x000000000058A000-memory.dmp	diamondfox
behavioral1/memory/888-70-0x0000000000400000-0x000000000058A000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

EdgeCommonService.exe

pid process

888 EdgeCommonService.exe

pid	process
888	EdgeCommonService.exe

Loads dropped DLL 3 IoCs

Processes:

54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exe

pid	process
2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
888	EdgeCommonService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exepowershell.exe

pid process

2952 chrome.exe
1160 powershell.exe
1160 powershell.exe

pid	process
2952	chrome.exe
1160	powershell.exe
1160	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXEpowershell.exe

description	pid	process
Token: 33	1296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1296	AUDIODG.EXE
Token: 33	1296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1296	AUDIODG.EXE
Token: SeDebugPrivilege	1160	powershell.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exe

pid process

2772 54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
888 EdgeCommonService.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exeEdgeCommonService.exe

description	pid	process	target process
PID 2772 wrote to memory of 888	2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe	EdgeCommonService.exe
PID 2772 wrote to memory of 888	2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe	EdgeCommonService.exe
PID 2772 wrote to memory of 888	2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe	EdgeCommonService.exe
PID 2772 wrote to memory of 888	2772	54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe	EdgeCommonService.exe
PID 888 wrote to memory of 1160	888	EdgeCommonService.exe	powershell.exe
PID 888 wrote to memory of 1160	888	EdgeCommonService.exe	powershell.exe
PID 888 wrote to memory of 1160	888	EdgeCommonService.exe	powershell.exe
PID 888 wrote to memory of 1160	888	EdgeCommonService.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe
"C:\Users\Admin\AppData\Local\Temp\54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
"C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,12343350832012158813,10442529651844132122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
MD5
d04da71fa3ec4f986aebf533c7f500cd

SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7

SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02

SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Download Submit
C:\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
MD5
d04da71fa3ec4f986aebf533c7f500cd

SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7

SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02

SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Download Submit
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
MD5
d04da71fa3ec4f986aebf533c7f500cd

SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7

SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02

SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Download Submit
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
MD5
d04da71fa3ec4f986aebf533c7f500cd

SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7

SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02

SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Download Submit
\Users\Admin\AppData\Local\CommsEdge\EdgeCommonService.exe
MD5
d04da71fa3ec4f986aebf533c7f500cd

SHA1
351792c9d94e6fefc9ba91a12d1a220eb28eb7b7

SHA256
54cc0861c094317e4aafa4508e389e626588e1a1b6455deb445c5816ed7c2d02

SHA512
713ca22d97673fc30b3d164375cf5d5629b7d6d680d82b8cb552c65592eb619735fc1ce8e5c92a93112d49baf37a24aed244f4bd721de8177d5fba12cec36840

Download Submit
memory/888-70-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/888-65-0x0000000000000000-mapping.dmp

Download
memory/1160-73-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1160-93-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/1160-109-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1160-71-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1160-72-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1160-108-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/1160-74-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1160-75-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/1160-76-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1160-79-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/1160-84-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1160-85-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1160-86-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1160-68-0x0000000000000000-mapping.dmp

Download
memory/1160-94-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/2116-62-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/2772-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/2772-60-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2772-61-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads