diamondfox | b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35

General

Target

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Size

963KB
MD5

a38a7e72a110324734a6a1f76e2c6e00
SHA1

849d24d21ac83486ce9ea730d97993e08d9733df
SHA256

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35
SHA512

faf091768e2057b36c458b84c8024c4d6ee8ea61ea49e3fab3258c9e977a8a22360ebc85a054adbbec6a8fba7aaf1e9b708ef719fc6fd113a2cb058e8744c894

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/396-141-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox
behavioral2/memory/396-144-0x0000000000400000-0x0000000000436000-memory.dmp	diamondfox

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

description	pid	process	target process
PID 4352 set thread context of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exepowershell.exe

pid	process
4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
Token: SeDebugPrivilege	3636	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exeWScript.exe

C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
"C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
C:\Users\Admin\AppData\Local\Temp\b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
2⤵
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Cfmkewr.vbs
MD5
bc3b0ee1864715134d8d095b811c6fdf

SHA1
ca6ab83a1811bf4cf665f2218d0a1daa4c29017c

SHA256
6a7db5b78d39ae5bd4446378a87c2c6e796bacccc10a0ccc6073a900c19bbd35

SHA512
0a451fc3b8e4b2f29e58a14fd4733ef3587aa8483ddc297ca405e8599cc055896790afd26625ab042fed8d7ba456f14a4179cdfbc588bca0baecb52ed219b27e

Download Submit
memory/396-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-138-0x00000000023E0000-0x0000000002416000-memory.dmp

Filesize
216KB

Download
memory/3636-139-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-140-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3636-142-0x00000000023D2000-0x00000000023D3000-memory.dmp

Filesize
4KB

Download
memory/3636-145-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/3636-146-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/3636-147-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/3636-148-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4352-136-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4352-135-0x0000000000E00000-0x0000000000EF8000-memory.dmp

Filesize
992KB

Download
memory/4352-134-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 4352 wrote to memory of 4356	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	WScript.exe
PID 4352 wrote to memory of 4356	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	WScript.exe
PID 4352 wrote to memory of 4356	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	WScript.exe
PID 4356 wrote to memory of 3636	4356	WScript.exe	powershell.exe
PID 4356 wrote to memory of 3636	4356	WScript.exe	powershell.exe
PID 4356 wrote to memory of 3636	4356	WScript.exe	powershell.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe
PID 4352 wrote to memory of 396	4352	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe	b859d4b635e94a5511f9fa493c8b220bfb9859a2f94649be148cd38b53a4da35.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads