Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
29-08-2023 02:04
Static task
static1
Behavioral task
behavioral1
Sample
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Resource
win10v2004-20230703-en
General
-
Target
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
-
Size
34KB
-
MD5
5eb3277e4b057015e82ecf8b7d4d201d
-
SHA1
25abcee80291edf1092d146bd233854ba7e205b7
-
SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
-
SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
SSDEEP
768:MRr1TNaD5ksyOcwTLFSwMxECyDiJHjRv5AmGRIp+nbcuyD7UMI:arTaD5kEJ1SwjCyDiJTAmGRIp+nouy8L
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral1/memory/1136-24-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox behavioral1/memory/1964-26-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox behavioral1/memory/1964-30-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox -
Deletes itself 1 IoCs
pid Process 2212 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 AnyDesk.exe -
Loads dropped DLL 2 IoCs
pid Process 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2764 PING.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 1964 AnyDesk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1136 wrote to memory of 1964 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 30 PID 1136 wrote to memory of 1964 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 30 PID 1136 wrote to memory of 1964 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 30 PID 1136 wrote to memory of 1964 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 30 PID 1136 wrote to memory of 2212 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 31 PID 1136 wrote to memory of 2212 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 31 PID 1136 wrote to memory of 2212 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 31 PID 1136 wrote to memory of 2212 1136 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 31 PID 2212 wrote to memory of 2764 2212 cmd.exe 33 PID 2212 wrote to memory of 2764 2212 cmd.exe 33 PID 2212 wrote to memory of 2764 2212 cmd.exe 33 PID 2212 wrote to memory of 2764 2212 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 02⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd" 0"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\PING.EXEping -n 4 127.0.0.13⤵
- Runs ping.exe
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5f07ec6af99fa82ea3353804ce368209d
SHA104287a3c2cb8542c6d7ddf49289b7db2e9df3215
SHA256e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97
SHA51226947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0
-
Filesize
210B
MD5f07ec6af99fa82ea3353804ce368209d
SHA104287a3c2cb8542c6d7ddf49289b7db2e9df3215
SHA256e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97
SHA51226947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18