diamondfox | 573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

Analysis

max time kernel
4294192s
max time network
122s
platform
windows7_x64
resource
win7-20220223-en
submitted
10-03-2022 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Size

485KB
MD5

1a01c1271297700846837182a5a2ec8b
SHA1

4fac1ede27ad29375398c3a46c5f33e7d5293637
SHA256

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03
SHA512

3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/memory/844-69-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral1/memory/844-72-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral1/memory/592-101-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

pid	Process
1108	MicrosoftEdgeCPS.exe
592	MicrosoftEdgeCPS.exe
1532	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

pid	Process
1920	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1108	MicrosoftEdgeCPS.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1108 set thread context of 592	1108	MicrosoftEdgeCPS.exe	33

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
1920	powershell.exe
1108	MicrosoftEdgeCPS.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1108	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 1052 wrote to memory of 844	1052	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	29
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	30
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	30
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	30
PID 844 wrote to memory of 1108	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	30
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	32
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	32
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	32
PID 844 wrote to memory of 1920	844	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	32
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 1108 wrote to memory of 592	1108	MicrosoftEdgeCPS.exe	33
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	34
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	34
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	34
PID 592 wrote to memory of 1532	592	MicrosoftEdgeCPS.exe	34
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	35
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	35
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	35
PID 592 wrote to memory of 1756	592	MicrosoftEdgeCPS.exe	35

C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
"C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:1532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe' -Force -Recurse
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-71-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/844-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-56-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1052-55-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-57-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1052-58-0x0000000000560000-0x000000000057E000-memory.dmp

Filesize
120KB

Download
memory/1052-54-0x0000000000340000-0x00000000003C0000-memory.dmp

Filesize
512KB

Download
memory/1108-79-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1108-78-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-76-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1532-108-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-106-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1532-110-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1756-109-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-111-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1756-112-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-113-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1756-114-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1920-84-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-83-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-82-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-81-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1920-80-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download