diamondfox | 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

General

Target

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
Size

18KB
MD5

2878d36d310c8195df391ca5b4dc4a18
SHA1

7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512

47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Score

10^/10

diamondfox botnet evasion persistence stealer trojan

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe
Executes dropped EXE 1 IoCs

Processes:

atiedxx.exe

pid process

3764 atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	atiedxx.exe

pid	process
3764	atiedxx.exe

Drops startup file 2 IoCs

Processes:

atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe	atiedxx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe	atiedxx.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	atiedxx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\run	atiedxx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atiedxx = "C:\\Users\\Admin\\AppData\\Roaming\\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\\atiedxx.exe"	atiedxx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

atiedxx.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" atiedxx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exeatiedxx.exe

pid process

4512 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
3764 atiedxx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

pid	process
4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
3764	atiedxx.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

description	pid	process	target process
PID 4512 wrote to memory of 3764	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 4512 wrote to memory of 3764	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 4512 wrote to memory of 3764	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	atiedxx.exe
PID 4512 wrote to memory of 4488	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe
PID 4512 wrote to memory of 4488	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe
PID 4512 wrote to memory of 4488	4512	40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	atiedxx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	atiedxx.exe

C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe
"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
  C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0B991030.cmd
  2⤵
  PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0B991030.cmd

Filesize
170B

MD5
b9b4a55a76f698ac1f701a7d6ae4c6bf

SHA1
039f33d7597d31dd9ff5d680054b021a19dbc41c

SHA256
c12ecbf7ca96f3ec39bc940bb889554cf33a51ffc5e8fa52aab59eee16685adf

SHA512
9316006d42e9f06d9f3b6f9d492605db2cd0d92d83b7e50d9bb93030890cf15c2835bbe6b122e5fa4b01a095f877c9b5526ea3925df069a0208e96a3e166cd7f

Download Submit
C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

Filesize
18KB

MD5
2878d36d310c8195df391ca5b4dc4a18

SHA1
7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a

SHA256
40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

SHA512
47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

Download Submit
memory/3764-133-0x0000000000000000-mapping.dmp

Download
memory/3764-141-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3764-142-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4488-138-0x0000000000000000-mapping.dmp

Download
memory/4512-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4512-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads