Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2023 09:54
Static task
static1
Behavioral task
behavioral1
Sample
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
Resource
win10v2004-20230703-en
General
-
Target
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
-
Size
220KB
-
MD5
b856ee00318bbdbafcc4895350424456
-
SHA1
e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
-
SHA256
53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
-
SHA512
4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
SSDEEP
3072:FFlJl9SroIZsF6RBvM+56h2NfF0kz2rx2OZ4tAHTaXZZAfr9QL2Kj8rzvn:rx9EZF1M+ch2hF8rNZOAH+ZAfrK2a83
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xingd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" xingd.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xingd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" xingd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe xingd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe xingd.exe -
Executes dropped EXE 1 IoCs
pid Process 4572 xingd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" xingd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" xingd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" xingd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2404 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 1296 taskkill.exe 3648 taskkill.exe 4920 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 3648 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 4572 xingd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4572 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 87 PID 3080 wrote to memory of 4572 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 87 PID 3080 wrote to memory of 4572 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 87 PID 3080 wrote to memory of 4280 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 89 PID 3080 wrote to memory of 4280 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 89 PID 3080 wrote to memory of 4280 3080 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe 89 PID 4572 wrote to memory of 1296 4572 xingd.exe 91 PID 4572 wrote to memory of 1296 4572 xingd.exe 91 PID 4572 wrote to memory of 1296 4572 xingd.exe 91 PID 4572 wrote to memory of 4920 4572 xingd.exe 96 PID 4572 wrote to memory of 4920 4572 xingd.exe 96 PID 4572 wrote to memory of 4920 4572 xingd.exe 96 PID 4572 wrote to memory of 3648 4572 xingd.exe 93 PID 4572 wrote to memory of 3648 4572 xingd.exe 93 PID 4572 wrote to memory of 3648 4572 xingd.exe 93 PID 4572 wrote to memory of 2404 4572 xingd.exe 99 PID 4572 wrote to memory of 2404 4572 xingd.exe 99 PID 4572 wrote to memory of 2404 4572 xingd.exe 99 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xingd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xingd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exeC:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe2⤵
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4572 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wscript.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM firefox.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM chrome.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn xingd.exe /tr "C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe"3⤵
- Creates scheduled task(s)
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2F2DB8CF.cmd2⤵PID:4280
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD53a91a0f7a53a8187461bd6c4936898fa
SHA1189db2c6fc682cc627a7877f3ec732f19d573287
SHA25621cf8e9446edd362f11bdc1169f8fb973eacd6fa76fd903db3c8607bdb5c3ac3
SHA5127b7fda9c61f8148c19b984fa9d67df27919baf7442fb70dea259a0c0c5454760b69856a241ba69417cf710f1fa730c2b76d33d9f7c18fdf7c8b4e63cb2cb3786
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0
-
Filesize
220KB
MD5b856ee00318bbdbafcc4895350424456
SHA1e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d
SHA25653b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce
SHA5124a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0