diamondfox | 2622cd891ff6151e1c9bb5af31b691c6e91d58d30e2d0446ecd9aabbb0f12d0d

General

Target

53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
Size

220KB
MD5

b856ee00318bbdbafcc4895350424456
SHA1

e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA256

53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA512

4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
SSDEEP

3072:FFlJl9SroIZsF6RBvM+56h2NfF0kz2rx2OZ4tAHTaXZZAfr9QL2Kj8rzvn:rx9EZF1M+ch2hF8rNZOAH+ZAfrK2a83

Score

10^/10

diamondfox botnet evasion persistence spyware stealer trojan

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xingd.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	xingd.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xingd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe"	xingd.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe	xingd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe	xingd.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	xingd.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	xingd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe"	xingd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe"	xingd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2648	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2816	taskkill.exe
2976	taskkill.exe
2704	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
2200	xingd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
2200	xingd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2200	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	31
PID 2344 wrote to memory of 2200	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	31
PID 2344 wrote to memory of 2200	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	31
PID 2344 wrote to memory of 2200	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	31
PID 2344 wrote to memory of 2800	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	32
PID 2344 wrote to memory of 2800	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	32
PID 2344 wrote to memory of 2800	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	32
PID 2344 wrote to memory of 2800	2344	53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe	32
PID 2200 wrote to memory of 2816	2200	xingd.exe	34
PID 2200 wrote to memory of 2816	2200	xingd.exe	34
PID 2200 wrote to memory of 2816	2200	xingd.exe	34
PID 2200 wrote to memory of 2816	2200	xingd.exe	34
PID 2200 wrote to memory of 2976	2200	xingd.exe	36
PID 2200 wrote to memory of 2976	2200	xingd.exe	36
PID 2200 wrote to memory of 2976	2200	xingd.exe	36
PID 2200 wrote to memory of 2976	2200	xingd.exe	36
PID 2200 wrote to memory of 2704	2200	xingd.exe	37
PID 2200 wrote to memory of 2704	2200	xingd.exe	37
PID 2200 wrote to memory of 2704	2200	xingd.exe	37
PID 2200 wrote to memory of 2704	2200	xingd.exe	37
PID 2200 wrote to memory of 2648	2200	xingd.exe	40
PID 2200 wrote to memory of 2648	2200	xingd.exe	40
PID 2200 wrote to memory of 2648	2200	xingd.exe	40
PID 2200 wrote to memory of 2648	2200	xingd.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xingd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xingd.exe

C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
"C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
  C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM wscript.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM firefox.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn xingd.exe /tr "C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd
  2⤵
  - Deletes itself
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd

Filesize
170B

MD5
4cff075234709e3b723684f94e362797

SHA1
8b8c27f14528f8eb79b8e6b4d683f90684840589

SHA256
6f65b03504efb7974395bd1de09facbb4f5d15789040d8a3b36a50902f9135ce

SHA512
6cc457dbe168a5c76fb462f97b7f2a4e81e0a5bdc0aaba564caf2a0db2be1fce5c68ceec9f1c1d5df4e498ddda7c74cd7583f725a85c931de83bd7d5069f09f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd

Filesize
170B

MD5
4cff075234709e3b723684f94e362797

SHA1
8b8c27f14528f8eb79b8e6b4d683f90684840589

SHA256
6f65b03504efb7974395bd1de09facbb4f5d15789040d8a3b36a50902f9135ce

SHA512
6cc457dbe168a5c76fb462f97b7f2a4e81e0a5bdc0aaba564caf2a0db2be1fce5c68ceec9f1c1d5df4e498ddda7c74cd7583f725a85c931de83bd7d5069f09f7

Download Submit
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe

Filesize
220KB

MD5
b856ee00318bbdbafcc4895350424456

SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d

SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce

SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0

Download Submit
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe

Filesize
220KB

MD5
b856ee00318bbdbafcc4895350424456

SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d

SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce

SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0

Download Submit
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe

Filesize
220KB

MD5
b856ee00318bbdbafcc4895350424456

SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d

SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce

SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0

Download Submit
\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe

Filesize
220KB

MD5
b856ee00318bbdbafcc4895350424456

SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d

SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce

SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0

Download Submit
\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe

Filesize
220KB

MD5
b856ee00318bbdbafcc4895350424456

SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d

SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce

SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0

Download Submit
memory/2200-18-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2200-17-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/2200-19-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2200-35-0x0000000004000000-0x0000000004ABA000-memory.dmp

Filesize
10.7MB

Download
memory/2200-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-0-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2344-1-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2344-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-2-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads