diamondfox | 7065e6eec89b53663d4d4544faf89b95d45090d484c83a3615edee72c4b252ea

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Size

34KB
MD5

5eb3277e4b057015e82ecf8b7d4d201d
SHA1

25abcee80291edf1092d146bd233854ba7e205b7
SHA256

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512

2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
SSDEEP

768:MRr1TNaD5ksyOcwTLFSwMxECyDiJHjRv5AmGRIp+nbcuyD7UMI:arTaD5kEJ1SwjCyDiJTAmGRIp+nouy8L

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/552-17-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox
behavioral2/memory/232-19-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox
behavioral2/memory/232-22-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

AnyDesk.exe

pid	Process
232	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4084	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exeAnyDesk.exe

pid	Process
552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
232	AnyDesk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.execmd.exe

description	pid	Process	procid_target
PID 552 wrote to memory of 232	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	83
PID 552 wrote to memory of 232	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	83
PID 552 wrote to memory of 232	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	83
PID 552 wrote to memory of 4288	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	84
PID 552 wrote to memory of 4288	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	84
PID 552 wrote to memory of 4288	552	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	84
PID 4288 wrote to memory of 4084	4288	cmd.exe	86
PID 4288 wrote to memory of 4084	4288	cmd.exe	86
PID 4288 wrote to memory of 4084	4288	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
  "C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd" 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd

Filesize
210B

MD5
fedbb09e49ac354abe2d95d8bdab7038

SHA1
e0fc3b669913b554f738b8d245d3163a324e0011

SHA256
9e0ea4be485888c06070082ede563bc87e40f52082c7b65491cd8d41eb1fc2bb

SHA512
7e2ddf81fde5273359a4814b3de5f5b872a8e0d88f631fac3dd918c112a84706ddf79d6e691ff06bcf942b68953fbe16e05389e07a8ef0a3c8bb7be0947bde5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
memory/232-19-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/232-22-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/552-0-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/552-17-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download