diamondfox | 573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

Analysis

max time kernel
4294192s
max time network
122s
platform
windows7_x64
resource
win7-20220223-en
submitted
10-03-2022 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Size

485KB
MD5

1a01c1271297700846837182a5a2ec8b
SHA1

4fac1ede27ad29375398c3a46c5f33e7d5293637
SHA256

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03
SHA512

3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/844-69-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral1/memory/844-72-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral1/memory/592-101-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

1108 MicrosoftEdgeCPS.exe
592 MicrosoftEdgeCPS.exe
1532 MicrosoftEdgeCPS.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1920 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exeMicrosoftEdgeCPS.exe

pid process

844 573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1108 MicrosoftEdgeCPS.exe

pid	process
1108	MicrosoftEdgeCPS.exe
592	MicrosoftEdgeCPS.exe
1532	MicrosoftEdgeCPS.exe

pid	process
1920	powershell.exe

pid	process
844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1108	MicrosoftEdgeCPS.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1052 set thread context of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1108 set thread context of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

pid	process
1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1920	powershell.exe
1108	MicrosoftEdgeCPS.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exepowershell.exeMicrosoftEdgeCPS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1108	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	powershell.exe
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	powershell.exe
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	powershell.exe
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	powershell.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	powershell.exe
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	powershell.exe
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	powershell.exe
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
"C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:1532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe' -Force -Recurse
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0f06e98cd9f4de2bbebaf8fe724bb927

SHA1
320cfa0f289b7d1dbb0ad7d060f6927ef83e2b08

SHA256
fbd6fd1473477effad1f3821c66742b15b9b055146ae1f81eb5be052a5315f87

SHA512
b59fba66234d0d74a65b4b5be7a3c87b85b7e2cbc65c09218521db0600a4af1aa9309d3b03139fa18bf2240bdfae53daf926d835dc6a0c2785804e8d5465cd18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\pidgin\pidgin.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5
1a01c1271297700846837182a5a2ec8b

SHA1
4fac1ede27ad29375398c3a46c5f33e7d5293637

SHA256
573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

SHA512
3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Download Submit
memory/592-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-71-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/844-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-56-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1052-55-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-57-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1052-58-0x0000000000560000-0x000000000057E000-memory.dmp

Filesize
120KB

Download
memory/1052-54-0x0000000000340000-0x00000000003C0000-memory.dmp

Filesize
512KB

Download
memory/1108-79-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1108-78-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-76-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1532-108-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-106-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1532-110-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1756-109-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-111-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1756-112-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-113-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1756-114-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1920-84-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-83-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-82-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-81-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-80-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download