diamondfox | be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08-03-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
Size

304KB
MD5

5a44c99ad691038006c6ed68f3cdbf7e
SHA1

f120f9ac21d278bcee07f288c56da69b7a38d4bf
SHA256

be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f
SHA512

14e8cb45e7fff8fd9ddad8b92645702faa64781521d428f636ad9c492889dc799862a028185ceed1426f8254bfe6e671b3dd5a826dc4afc92b7b559f89c1a8cc

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 4 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral2/memory/4756-133-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/4756-135-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/1344-159-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/1344-161-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

pid	Process
2336	MicrosoftEdgeCPS.exe
1344	MicrosoftEdgeCPS.exe
1040	MicrosoftEdgeCPS.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 2336 set thread context of 1344	2336	MicrosoftEdgeCPS.exe	98

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
2288	powershell.exe
2288	powershell.exe
2336	MicrosoftEdgeCPS.exe
2336	MicrosoftEdgeCPS.exe
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2336	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	5052	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4736	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	91
PID 1476 wrote to memory of 4736	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	91
PID 1476 wrote to memory of 4736	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	91
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 1476 wrote to memory of 4756	1476	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	92
PID 4756 wrote to memory of 2336	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	93
PID 4756 wrote to memory of 2336	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	93
PID 4756 wrote to memory of 2336	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	93
PID 4756 wrote to memory of 2288	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	94
PID 4756 wrote to memory of 2288	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	94
PID 4756 wrote to memory of 2288	4756	be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe	94
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 2336 wrote to memory of 1344	2336	MicrosoftEdgeCPS.exe	98
PID 1344 wrote to memory of 1040	1344	MicrosoftEdgeCPS.exe	100
PID 1344 wrote to memory of 1040	1344	MicrosoftEdgeCPS.exe	100
PID 1344 wrote to memory of 1040	1344	MicrosoftEdgeCPS.exe	100
PID 1344 wrote to memory of 5052	1344	MicrosoftEdgeCPS.exe	101
PID 1344 wrote to memory of 5052	1344	MicrosoftEdgeCPS.exe	101
PID 1344 wrote to memory of 5052	1344	MicrosoftEdgeCPS.exe	101

C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
"C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
  C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
  2⤵
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
  C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:1040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\be9b864a9cb2256b2c1b09543bd047023c53b915a26e85d16b5f987c1163ae8f.exe' -Force -Recurse
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-166-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1040-167-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1344-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1476-130-0x00000000002F0000-0x0000000000342000-memory.dmp

Filesize
328KB

Download
memory/1476-132-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1476-131-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2288-140-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-143-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2288-149-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2288-150-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/2288-151-0x0000000004E55000-0x0000000004E57000-memory.dmp

Filesize
8KB

Download
memory/2288-152-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/2288-153-0x00000000068F0000-0x0000000006912000-memory.dmp

Filesize
136KB

Download
memory/2288-154-0x0000000008590000-0x0000000008B34000-memory.dmp

Filesize
5.6MB

Download
memory/2288-147-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/2288-146-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2288-145-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/2288-148-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/2288-144-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/2288-138-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/2288-141-0x0000000004E52000-0x0000000004E53000-memory.dmp

Filesize
4KB

Download
memory/2336-142-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2336-139-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/4756-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4756-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-168-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/5052-170-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/5052-169-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/5052-172-0x0000000004A25000-0x0000000004A27000-memory.dmp

Filesize
8KB

Download