Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 09:25

General

  • Target

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

  • Size

    18KB

  • MD5

    2878d36d310c8195df391ca5b4dc4a18

  • SHA1

    7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

  • SHA256

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

  • SHA512

    47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
    "C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
      C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
      2⤵
      • UAC bypass
      • Windows security bypass
      • Executes dropped EXE
      • Drops startup file
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd
      2⤵
      • Deletes itself
      PID:1804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd

    Filesize

    170B

    MD5

    ca1ffe0fe322c68b060817133ecb3f46

    SHA1

    0e328bd94191464aec57a93809031ff42f88edba

    SHA256

    6bbef442aced4b121ea186e0263b535d41a1c5d524532b586f7ed3c76cd82c31

    SHA512

    8e31736d2a15ed31752f35225bddb8551199667a3ac143342f259b0c729a3d94ff496fc3984d5d6c3a78e97ca04d86250b16c4e9b86e1c32667782820b939149

  • C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

    Filesize

    18KB

    MD5

    2878d36d310c8195df391ca5b4dc4a18

    SHA1

    7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

    SHA256

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

    SHA512

    47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

  • C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

    Filesize

    18KB

    MD5

    2878d36d310c8195df391ca5b4dc4a18

    SHA1

    7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

    SHA256

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

    SHA512

    47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

  • \Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

    Filesize

    18KB

    MD5

    2878d36d310c8195df391ca5b4dc4a18

    SHA1

    7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

    SHA256

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

    SHA512

    47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

  • \Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

    Filesize

    18KB

    MD5

    2878d36d310c8195df391ca5b4dc4a18

    SHA1

    7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

    SHA256

    40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

    SHA512

    47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

  • memory/1640-54-0x0000000076241000-0x0000000076243000-memory.dmp

    Filesize

    8KB

  • memory/1640-67-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1640-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1756-69-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1756-70-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1756-71-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB