diamondfox | 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

General

Target

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
Size

18KB
MD5

2878d36d310c8195df391ca5b4dc4a18
SHA1

7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512

47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Score

10^/10

diamondfox botnet evasion persistence stealer trojan

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe
Executes dropped EXE 1 IoCs

Processes:

atiedxx.exe

pid process

1756 atiedxx.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1804 cmd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	atiedxx.exe

pid	process
1756	atiedxx.exe

pid	process
1804	cmd.exe

Drops startup file 2 IoCs

Processes:

atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe	atiedxx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe	atiedxx.exe

Loads dropped DLL 2 IoCs

Processes:

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

pid	process
1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	atiedxx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\run	atiedxx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\atiedxx = "C:\\Users\\Admin\\AppData\\Roaming\\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\\atiedxx.exe"	atiedxx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exeatiedxx.exe

pid process

1640 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
1756 atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

description	pid	process	target process
PID 1640 wrote to memory of 1756	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 1640 wrote to memory of 1756	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 1640 wrote to memory of 1756	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 1640 wrote to memory of 1756	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 1640 wrote to memory of 1804	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe
PID 1640 wrote to memory of 1804	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe
PID 1640 wrote to memory of 1804	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe
PID 1640 wrote to memory of 1804	1640	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	atiedxx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
  C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd
  2⤵
  - Deletes itself
  PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd

Filesize
170B

MD5
ca1ffe0fe322c68b060817133ecb3f46

SHA1
0e328bd94191464aec57a93809031ff42f88edba

SHA256
6bbef442aced4b121ea186e0263b535d41a1c5d524532b586f7ed3c76cd82c31

SHA512
8e31736d2a15ed31752f35225bddb8551199667a3ac143342f259b0c729a3d94ff496fc3984d5d6c3a78e97ca04d86250b16c4e9b86e1c32667782820b939149

Download Submit
C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
memory/1640-54-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1640-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-60-0x0000000000000000-mapping.dmp

Download
memory/1756-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1804-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads