Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
Resource
win10v2004-20220414-en
General
-
Target
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
-
Size
18KB
-
MD5
2878d36d310c8195df391ca5b4dc4a18
-
SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
-
SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
-
SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe -
Executes dropped EXE 1 IoCs
pid Process 1756 atiedxx.exe -
Deletes itself 1 IoCs
pid Process 1804 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe atiedxx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe atiedxx.exe -
Loads dropped DLL 2 IoCs
pid Process 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\run atiedxx.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\atiedxx = "C:\\Users\\Admin\\AppData\\Roaming\\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\\atiedxx.exe" atiedxx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 1756 atiedxx.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1756 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 28 PID 1640 wrote to memory of 1756 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 28 PID 1640 wrote to memory of 1756 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 28 PID 1640 wrote to memory of 1756 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 28 PID 1640 wrote to memory of 1804 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 29 PID 1640 wrote to memory of 1804 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 29 PID 1640 wrote to memory of 1804 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 29 PID 1640 wrote to memory of 1804 1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe 29 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System atiedxx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exeC:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1756
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd2⤵
- Deletes itself
PID:1804
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5ca1ffe0fe322c68b060817133ecb3f46
SHA10e328bd94191464aec57a93809031ff42f88edba
SHA2566bbef442aced4b121ea186e0263b535d41a1c5d524532b586f7ed3c76cd82c31
SHA5128e31736d2a15ed31752f35225bddb8551199667a3ac143342f259b0c729a3d94ff496fc3984d5d6c3a78e97ca04d86250b16c4e9b86e1c32667782820b939149
-
Filesize
18KB
MD52878d36d310c8195df391ca5b4dc4a18
SHA17f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA25640cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA51247cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3
-
Filesize
18KB
MD52878d36d310c8195df391ca5b4dc4a18
SHA17f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA25640cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA51247cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3
-
Filesize
18KB
MD52878d36d310c8195df391ca5b4dc4a18
SHA17f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA25640cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA51247cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3
-
Filesize
18KB
MD52878d36d310c8195df391ca5b4dc4a18
SHA17f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA25640cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA51247cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3