Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
28-08-2023 09:54
General
-
Target
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
-
Size
220KB
-
MD5
b856ee00318bbdbafcc4895350424456
-
SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
-
SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
-
SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
SSDEEP
3072:FFlJl9SroIZsF6RBvM+56h2NfF0kz2rx2OZ4tAHTaXZZAfr9QL2Kj8rzvn:rx9EZF1M+ch2hF8rNZOAH+ZAfrK2a83
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exeC:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe2⤵
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wscript.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM firefox.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM chrome.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn xingd.exe /tr "C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2F2DB8CF.cmd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD53a91a0f7a53a8187461bd6c4936898fa
SHA1189db2c6fc682cc627a7877f3ec732f19d573287
SHA25621cf8e9446edd362f11bdc1169f8fb973eacd6fa76fd903db3c8607bdb5c3ac3
SHA5127b7fda9c61f8148c19b984fa9d67df27919baf7442fb70dea259a0c0c5454760b69856a241ba69417cf710f1fa730c2b76d33d9f7c18fdf7c8b4e63cb2cb3786
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
64KB
-
Filesize
68KB