Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2023 02:04
Static task
static1
Behavioral task
behavioral1
Sample
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Resource
win10v2004-20230703-en
General
-
Target
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
-
Size
34KB
-
MD5
5eb3277e4b057015e82ecf8b7d4d201d
-
SHA1
25abcee80291edf1092d146bd233854ba7e205b7
-
SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
-
SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
SSDEEP
768:MRr1TNaD5ksyOcwTLFSwMxECyDiJHjRv5AmGRIp+nbcuyD7UMI:arTaD5kEJ1SwjCyDiJTAmGRIp+nouy8L
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral2/memory/552-17-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox behavioral2/memory/232-19-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox behavioral2/memory/232-22-0x0000000000400000-0x000000000041F010-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 232 AnyDesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4084 PING.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 232 AnyDesk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 552 wrote to memory of 232 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 83 PID 552 wrote to memory of 232 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 83 PID 552 wrote to memory of 232 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 83 PID 552 wrote to memory of 4288 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 84 PID 552 wrote to memory of 4288 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 84 PID 552 wrote to memory of 4288 552 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe 84 PID 4288 wrote to memory of 4084 4288 cmd.exe 86 PID 4288 wrote to memory of 4084 4288 cmd.exe 86 PID 4288 wrote to memory of 4084 4288 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 02⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd" 0"2⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\PING.EXEping -n 4 127.0.0.13⤵
- Runs ping.exe
PID:4084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5fedbb09e49ac354abe2d95d8bdab7038
SHA1e0fc3b669913b554f738b8d245d3163a324e0011
SHA2569e0ea4be485888c06070082ede563bc87e40f52082c7b65491cd8d41eb1fc2bb
SHA5127e2ddf81fde5273359a4814b3de5f5b872a8e0d88f631fac3dd918c112a84706ddf79d6e691ff06bcf942b68953fbe16e05389e07a8ef0a3c8bb7be0947bde5e
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
-
Filesize
34KB
MD55eb3277e4b057015e82ecf8b7d4d201d
SHA125abcee80291edf1092d146bd233854ba7e205b7
SHA256d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA5122600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18