Overview

overview

10

Static

static

b859d4b635...35.exe

windows7_x64

10

b859d4b635...35.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-03-2022 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

  • Size

    963KB

  • MD5

    a38a7e72a110324734a6a1f76e2c6e00

  • SHA1

    849d24d21ac83486ce9ea730d97993e08d9733df

  • SHA256

    b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35

  • SHA512

    faf091768e2057b36c458b84c8024c4d6ee8ea61ea49e3fab3258c9e977a8a22360ebc85a054adbbec6a8fba7aaf1e9b708ef719fc6fd113a2cb058e8744c894

Score
10/10
diamondfoxbotnetinfostealerstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

    infostealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
    "C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3636
    • C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
      C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
      2⤵
        PID:396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/396-144-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/396-141-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3636-138-0x00000000023E0000-0x0000000002416000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3636-139-0x0000000074A20000-0x00000000751D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3636-140-0x00000000023D0000-0x00000000023D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3636-142-0x00000000023D2000-0x00000000023D3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3636-145-0x0000000004E80000-0x00000000054A8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3636-146-0x0000000004D50000-0x0000000004D72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3636-147-0x0000000004DF0000-0x0000000004E56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3636-148-0x00000000054B0000-0x0000000005516000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4352-136-0x00000000058F0000-0x00000000058F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4352-135-0x0000000000E00000-0x0000000000EF8000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4352-134-0x0000000074A20000-0x00000000751D0000-memory.dmp

      Filesize

      7.7MB

      Download