Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-03-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Resource
win10v2004-20220310-en
General
-
Target
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
-
Size
963KB
-
MD5
a38a7e72a110324734a6a1f76e2c6e00
-
SHA1
849d24d21ac83486ce9ea730d97993e08d9733df
-
SHA256
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35
-
SHA512
faf091768e2057b36c458b84c8024c4d6ee8ea61ea49e3fab3258c9e977a8a22360ebc85a054adbbec6a8fba7aaf1e9b708ef719fc6fd113a2cb058e8744c894
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
Processes:
resource yara_rule behavioral2/memory/396-141-0x0000000000400000-0x0000000000436000-memory.dmp diamondfox behavioral2/memory/396-144-0x0000000000400000-0x0000000000436000-memory.dmp diamondfox -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exedescription pid process target process PID 4352 set thread context of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exepowershell.exepid process 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe 3636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exepowershell.exedescription pid process Token: SeDebugPrivilege 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe Token: SeDebugPrivilege 3636 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeWScript.exedescription pid process target process PID 4352 wrote to memory of 4356 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe WScript.exe PID 4352 wrote to memory of 4356 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe WScript.exe PID 4352 wrote to memory of 4356 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe WScript.exe PID 4356 wrote to memory of 3636 4356 WScript.exe powershell.exe PID 4356 wrote to memory of 3636 4356 WScript.exe powershell.exe PID 4356 wrote to memory of 3636 4356 WScript.exe powershell.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe PID 4352 wrote to memory of 396 4352 b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeC:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbsMD5
bc3b0ee1864715134d8d095b811c6fdf
SHA1ca6ab83a1811bf4cf665f2218d0a1daa4c29017c
SHA2566a7db5b78d39ae5bd4446378a87c2c6e796bacccc10a0ccc6073a900c19bbd35
SHA5120a451fc3b8e4b2f29e58a14fd4733ef3587aa8483ddc297ca405e8599cc055896790afd26625ab042fed8d7ba456f14a4179cdfbc588bca0baecb52ed219b27e
-
memory/396-144-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/396-141-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/3636-138-0x00000000023E0000-0x0000000002416000-memory.dmpFilesize
216KB
-
memory/3636-139-0x0000000074A20000-0x00000000751D0000-memory.dmpFilesize
7.7MB
-
memory/3636-140-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/3636-142-0x00000000023D2000-0x00000000023D3000-memory.dmpFilesize
4KB
-
memory/3636-145-0x0000000004E80000-0x00000000054A8000-memory.dmpFilesize
6.2MB
-
memory/3636-146-0x0000000004D50000-0x0000000004D72000-memory.dmpFilesize
136KB
-
memory/3636-147-0x0000000004DF0000-0x0000000004E56000-memory.dmpFilesize
408KB
-
memory/3636-148-0x00000000054B0000-0x0000000005516000-memory.dmpFilesize
408KB
-
memory/4352-136-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/4352-135-0x0000000000E00000-0x0000000000EF8000-memory.dmpFilesize
992KB
-
memory/4352-134-0x0000000074A20000-0x00000000751D0000-memory.dmpFilesize
7.7MB