Analysis

  • max time kernel
    4294197s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    14-03-2022 17:30

General

  • Target

    b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

  • Size

    963KB

  • MD5

    a38a7e72a110324734a6a1f76e2c6e00

  • SHA1

    849d24d21ac83486ce9ea730d97993e08d9733df

  • SHA256

    b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35

  • SHA512

    faf091768e2057b36c458b84c8024c4d6ee8ea61ea49e3fab3258c9e977a8a22360ebc85a054adbbec6a8fba7aaf1e9b708ef719fc6fd113a2cb058e8744c894

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

  • DiamondFox payload 3 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
    "C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
    • C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
      C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:300
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
        • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
          C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
            "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
            5⤵
            • Executes dropped EXE
            PID:1992
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeCPS.exe' -Force -Recurse
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe' -Force -Recurse
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/300-86-0x0000000073F30000-0x000000007461E000-memory.dmp

    Filesize

    6.9MB

  • memory/300-87-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

    Filesize

    4KB

  • memory/300-84-0x0000000000F30000-0x0000000001028000-memory.dmp

    Filesize

    992KB

  • memory/308-71-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-67-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-61-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-65-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-69-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-63-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/308-74-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/532-60-0x0000000074F31000-0x0000000074F33000-memory.dmp

    Filesize

    8KB

  • memory/608-92-0x00000000003D0000-0x0000000000410000-memory.dmp

    Filesize

    256KB

  • memory/608-89-0x0000000072210000-0x00000000727BB000-memory.dmp

    Filesize

    5.7MB

  • memory/608-90-0x00000000003D0000-0x0000000000410000-memory.dmp

    Filesize

    256KB

  • memory/608-91-0x00000000003D0000-0x0000000000410000-memory.dmp

    Filesize

    256KB

  • memory/1076-77-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

    Filesize

    4KB

  • memory/1076-79-0x0000000001DF1000-0x0000000001DF2000-memory.dmp

    Filesize

    4KB

  • memory/1076-78-0x0000000072D20000-0x00000000732CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1076-80-0x0000000001DF2000-0x0000000001DF4000-memory.dmp

    Filesize

    8KB

  • memory/1076-76-0x0000000072D20000-0x00000000732CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1108-123-0x0000000070E80000-0x000000007142B000-memory.dmp

    Filesize

    5.7MB

  • memory/1108-126-0x0000000070E80000-0x000000007142B000-memory.dmp

    Filesize

    5.7MB

  • memory/1108-125-0x0000000002440000-0x000000000308A000-memory.dmp

    Filesize

    12.3MB

  • memory/1220-111-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/1912-114-0x0000000072D20000-0x00000000732CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1912-115-0x00000000024C0000-0x0000000002503000-memory.dmp

    Filesize

    268KB

  • memory/1924-57-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

    Filesize

    4KB

  • memory/1924-56-0x0000000073F50000-0x000000007463E000-memory.dmp

    Filesize

    6.9MB

  • memory/1924-55-0x0000000000B50000-0x0000000000BCC000-memory.dmp

    Filesize

    496KB

  • memory/1924-58-0x0000000000840000-0x0000000000884000-memory.dmp

    Filesize

    272KB

  • memory/1924-54-0x0000000001180000-0x0000000001278000-memory.dmp

    Filesize

    992KB

  • memory/1992-120-0x0000000000100000-0x00000000001F8000-memory.dmp

    Filesize

    992KB

  • memory/1992-122-0x0000000073F50000-0x000000007463E000-memory.dmp

    Filesize

    6.9MB

  • memory/1992-124-0x0000000004490000-0x0000000004491000-memory.dmp

    Filesize

    4KB