Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

nine.exe

windows7_x64

10

nine.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4265208s
  • max time network
    263s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17/01/2022, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nine.exe

  • Size

    210KB

  • MD5

    4440d9bb248b6ecb966eef7af0ec276c

  • SHA1

    dba8eb889861da4252bc2aca9794062a87fb6056

  • SHA256

    93e7ecd77057b7388f80a012e15977613f6fa01bda350e684facdce6fee8e1da

  • SHA512

    95abb7d39550c8b4b775d98e859e10eca7aa22193becd8656632b87689388c094ce872bf2aa0f24732d965b03ffa65f99e48774941c58779802e501d9bb610d6

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • DiamondFox payload 3 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nine.exe
    "C:\Users\Admin\AppData\Local\Temp\nine.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\nine.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
        "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 480
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:904
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1160
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3404 -ip 3404
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1548-159-0x0000000000400000-0x0000000001A9E000-memory.dmp

    Filesize

    22.6MB

    Download

  • memory/1548-158-0x0000000001D20000-0x0000000001D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1548-157-0x0000000001D20000-0x0000000001D26000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1548-156-0x0000000001C23000-0x0000000001C2F000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2292-144-0x0000000008260000-0x00000000082C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-148-0x0000000008E40000-0x0000000008E5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2292-139-0x0000000007A80000-0x00000000080A8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2292-140-0x0000000007440000-0x0000000007441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-141-0x0000000007442000-0x0000000007443000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-142-0x00000000080E0000-0x0000000008102000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2292-143-0x0000000008180000-0x00000000081E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-155-0x0000000004F30000-0x0000000004F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-145-0x00000000089B0000-0x00000000089CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2292-146-0x0000000007445000-0x0000000007447000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2292-147-0x0000000008EC0000-0x0000000008F56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2292-138-0x00000000073B0000-0x00000000073E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2292-149-0x0000000008E90000-0x0000000008EB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2292-150-0x0000000009F80000-0x000000000A524000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2292-151-0x000000000ABB0000-0x000000000B22A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2292-136-0x0000000004F30000-0x0000000004F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-137-0x0000000004F30000-0x0000000004F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-130-0x0000000001CD3000-0x0000000001CDF000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3404-134-0x0000000000400000-0x0000000001A9E000-memory.dmp

    Filesize

    22.6MB

    Download

  • memory/3404-133-0x0000000001C70000-0x0000000001C7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3404-132-0x0000000001C70000-0x0000000001C76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3404-131-0x00000000001C0000-0x00000000001D8000-memory.dmp

    Filesize

    96KB

    Download