diamondfox | 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5

General

Target

tune.exe
Size

216KB
MD5

c003231a632fa9d74620c52d22ffb140
SHA1

ec2c2f3f38a3bf00b67ba53413c3be94f50a7408
SHA256

2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
SHA512

92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb
SSDEEP

3072:aqx8ojLSZA1kNLm+9sON9+wvukPEQrZrN75xYFZNjF7Zyy:ljLS+1kc+79+wvdPRrZrJYFX

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1996-65-0x0000000000400000-0x00000000007AC000-memory.dmp	diamondfox
behavioral1/memory/1740-71-0x0000000000400000-0x00000000007AC000-memory.dmp	diamondfox
behavioral1/memory/1740-74-0x0000000000400000-0x00000000007AC000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

1740 wininit.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1492 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

tune.exe

pid process

1996 tune.exe
1996 tune.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

820 PING.EXE

pid	process
1740	wininit.exe

pid	process
1492	cmd.exe

pid	process
1996	tune.exe
1996	tune.exe

pid	process
820	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	540	AUDIODG.EXE
Token: 33	540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	540	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tune.exewininit.exe

pid process

1996 tune.exe
1740 wininit.exe

pid	process
1996	tune.exe
1740	wininit.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tune.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 1740	1996	tune.exe	wininit.exe
PID 1996 wrote to memory of 1740	1996	tune.exe	wininit.exe
PID 1996 wrote to memory of 1740	1996	tune.exe	wininit.exe
PID 1996 wrote to memory of 1740	1996	tune.exe	wininit.exe
PID 1996 wrote to memory of 1492	1996	tune.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	tune.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	tune.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	tune.exe	cmd.exe
PID 1492 wrote to memory of 820	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 820	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 820	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 820	1492	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\tune.exe
"C:\Users\Admin\AppData\Local\Temp\tune.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\wininit\wininit.exe
  "C:\Users\Admin\AppData\Roaming\wininit\wininit.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd" 0"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd

Filesize
150B

MD5
126d0b01f5b4d121ef8383dae924dcd2

SHA1
964d6ff4588494561b3b90a390f62c4e065e2806

SHA256
700332cbee3e55cb091574bf8c0dfcfbf9aeb1cdea044ba97b74c4ced131f0fb

SHA512
a6878a08ea360601a0b8bff3f5ee97b746f044210a37860975b78e7580fac5817def3c353a21c5ddf2f5bceae4d67b6fd58758b6242f0233291205fdfd7e63c1

Download Submit
C:\Users\Admin\AppData\Roaming\wininit\wininit.exe

Filesize
216KB

MD5
c003231a632fa9d74620c52d22ffb140

SHA1
ec2c2f3f38a3bf00b67ba53413c3be94f50a7408

SHA256
2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5

SHA512
92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

Download Submit
\Users\Admin\AppData\Roaming\wininit\wininit.exe

Filesize
216KB

MD5
c003231a632fa9d74620c52d22ffb140

SHA1
ec2c2f3f38a3bf00b67ba53413c3be94f50a7408

SHA256
2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5

SHA512
92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

Download Submit
\Users\Admin\AppData\Roaming\wininit\wininit.exe

Filesize
216KB

MD5
c003231a632fa9d74620c52d22ffb140

SHA1
ec2c2f3f38a3bf00b67ba53413c3be94f50a7408

SHA256
2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5

SHA512
92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

Download Submit
memory/820-67-0x0000000000000000-mapping.dmp

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1740-70-0x00000000002C9000-0x00000000002D2000-memory.dmp

Filesize
36KB

Download
memory/1740-60-0x0000000000000000-mapping.dmp

Download
memory/1740-71-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1740-73-0x00000000002C9000-0x00000000002D2000-memory.dmp

Filesize
36KB

Download
memory/1740-74-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1996-64-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1996-63-0x00000000008B8000-0x00000000008C2000-memory.dmp

Filesize
40KB

Download
memory/1996-65-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1996-57-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1996-54-0x00000000008B8000-0x00000000008C2000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads