Overview

overview

10

Static

static

nine.exe

windows7_x64

10

nine.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    286s
  • max time network
    288s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    17/01/2022, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nine.exe

  • Size

    210KB

  • MD5

    4440d9bb248b6ecb966eef7af0ec276c

  • SHA1

    dba8eb889861da4252bc2aca9794062a87fb6056

  • SHA256

    93e7ecd77057b7388f80a012e15977613f6fa01bda350e684facdce6fee8e1da

  • SHA512

    95abb7d39550c8b4b775d98e859e10eca7aa22193becd8656632b87689388c094ce872bf2aa0f24732d965b03ffa65f99e48774941c58779802e501d9bb610d6

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 3 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nine.exe
    "C:\Users\Admin\AppData\Local\Temp\nine.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\nine.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/524-63-0x0000000001FF1000-0x0000000001FF2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/524-64-0x0000000001FF2000-0x0000000001FF4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/524-61-0x00000000763F1000-0x00000000763F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/524-62-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/748-69-0x0000000001C09000-0x0000000001C14000-memory.dmp

    Filesize

    44KB

    Download

  • memory/748-72-0x0000000000400000-0x0000000001A9E000-memory.dmp

    Filesize

    22.6MB

    Download

  • memory/1660-59-0x0000000000240000-0x000000000024A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1660-58-0x0000000000400000-0x0000000001A9E000-memory.dmp

    Filesize

    22.6MB

    Download

  • memory/1660-57-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1660-55-0x0000000001B88000-0x0000000001B94000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1660-56-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download