diamondfox | 573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03

Analysis

max time kernel
142s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Size

485KB
MD5

1a01c1271297700846837182a5a2ec8b
SHA1

4fac1ede27ad29375398c3a46c5f33e7d5293637
SHA256

573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03
SHA512

3ad93395d5aae9f7696a11099b04306f0eef8d5a2d5abad8be4e537fe708094baf51cddaf57bb19251beb51f223c05d551d054effd21ff72315a54e5858195ff

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 4 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral2/memory/2836-136-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/2836-138-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/2444-162-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/2444-164-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Executes dropped EXE 3 IoCs

pid	Process
1088	MicrosoftEdgeCPS.exe
2444	MicrosoftEdgeCPS.exe
4332	MicrosoftEdgeCPS.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 1088 set thread context of 2444	1088	MicrosoftEdgeCPS.exe	93

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
2448	powershell.exe
2448	powershell.exe
1088	MicrosoftEdgeCPS.exe
1088	MicrosoftEdgeCPS.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1088	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	4432	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 3592 wrote to memory of 2836	3592	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	89
PID 2836 wrote to memory of 1088	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	90
PID 2836 wrote to memory of 1088	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	90
PID 2836 wrote to memory of 1088	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	90
PID 2836 wrote to memory of 2448	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	91
PID 2836 wrote to memory of 2448	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	91
PID 2836 wrote to memory of 2448	2836	573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe	91
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 1088 wrote to memory of 2444	1088	MicrosoftEdgeCPS.exe	93
PID 2444 wrote to memory of 4332	2444	MicrosoftEdgeCPS.exe	94
PID 2444 wrote to memory of 4332	2444	MicrosoftEdgeCPS.exe	94
PID 2444 wrote to memory of 4332	2444	MicrosoftEdgeCPS.exe	94
PID 2444 wrote to memory of 4432	2444	MicrosoftEdgeCPS.exe	96
PID 2444 wrote to memory of 4432	2444	MicrosoftEdgeCPS.exe	96
PID 2444 wrote to memory of 4432	2444	MicrosoftEdgeCPS.exe	96

C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
"C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:4332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\573efb195325f7f39b014f9a6062b0e464f7578b6fe2ae192749c26e460bbf03.exe' -Force -Recurse
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-147-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1088-142-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2444-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-141-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download
memory/2448-143-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/2448-145-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2448-148-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/2448-149-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/2448-150-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2448-151-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/2448-153-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/2448-152-0x0000000002CB5000-0x0000000002CB7000-memory.dmp

Filesize
8KB

Download
memory/2448-154-0x0000000006A40000-0x0000000006A5A000-memory.dmp

Filesize
104KB

Download
memory/2448-155-0x00000000077D0000-0x0000000007866000-memory.dmp

Filesize
600KB

Download
memory/2448-156-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/2448-144-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-146-0x0000000002CB2000-0x0000000002CB3000-memory.dmp

Filesize
4KB

Download
memory/2836-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-132-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/3592-135-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3592-134-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3592-133-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/3592-130-0x00000000008A0000-0x0000000000920000-memory.dmp

Filesize
512KB

Download
memory/3592-131-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4332-170-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4332-174-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4432-171-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4432-172-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4432-173-0x0000000005412000-0x0000000005413000-memory.dmp

Filesize
4KB

Download
memory/4432-175-0x0000000005415000-0x0000000005417000-memory.dmp

Filesize
8KB

Download