diamondfox | 06e55f0700b583a63f0778201bf4f1ac352966f9c4fa47b5bbd7f39c08b68b79

Analysis

max time kernel
53s
max time network
61s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

diamondfox_2.exe
Size

203KB
MD5

edcbd21bcf32c01e132b51ab1c92a532
SHA1

205e23b68a25e20651b459523b2c8a2ebaac022f
SHA256

06e55f0700b583a63f0778201bf4f1ac352966f9c4fa47b5bbd7f39c08b68b79
SHA512

35c767a8022bab81879d51b0d6731176555fbd6a3ce00d69826a059d15131fa1a9230b706f866f7759a3b646fb1a404fa2197ff7dba5dc35a898216cb5f6a9c3
SSDEEP

6144:SnSNM0tFUkfgEYxE91e/QkqCh+FjvTBiL+:SSN3zgpxooF3h+FjvToa

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/files/0x000d0000000122ea-2.dat	diamondfox

Deletes itself 1 IoCs

pid	Process
3056	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	MicrosoftEdgeCPS.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	diamondfox_2.exe
2984	diamondfox_2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	powershell.exe
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2908	2984	diamondfox_2.exe	28
PID 2984 wrote to memory of 2908	2984	diamondfox_2.exe	28
PID 2984 wrote to memory of 2908	2984	diamondfox_2.exe	28
PID 2984 wrote to memory of 2908	2984	diamondfox_2.exe	28
PID 2908 wrote to memory of 2052	2908	MicrosoftEdgeCPS.exe	30
PID 2908 wrote to memory of 2052	2908	MicrosoftEdgeCPS.exe	30
PID 2908 wrote to memory of 2052	2908	MicrosoftEdgeCPS.exe	30
PID 2908 wrote to memory of 2052	2908	MicrosoftEdgeCPS.exe	30
PID 2984 wrote to memory of 3056	2984	diamondfox_2.exe	29
PID 2984 wrote to memory of 3056	2984	diamondfox_2.exe	29
PID 2984 wrote to memory of 3056	2984	diamondfox_2.exe	29
PID 2984 wrote to memory of 3056	2984	diamondfox_2.exe	29

C:\Users\Admin\AppData\Local\Temp\diamondfox_2.exe
"C:\Users\Admin\AppData\Local\Temp\diamondfox_2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\diamondfox_2.exe' -Force -Recurse
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
68a188eb97d37795b02a48380c57f79a

SHA1
9b60b053cc753fc8f0edd2b7d1e4bd9a0c2659d5

SHA256
0ad57ad8875eb548cc32777b0ac32412bd35c5183b00afe35d6d27d57256b61a

SHA512
40efaee5bf0aa74bc39470e8f3032cd068f0fa2ffabd9cb00e1502cb6551917bab2f201cb223b751131c022a291cf8ec2a05341583789bfa7d28aea1652c8b10

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
203KB

MD5
edcbd21bcf32c01e132b51ab1c92a532

SHA1
205e23b68a25e20651b459523b2c8a2ebaac022f

SHA256
06e55f0700b583a63f0778201bf4f1ac352966f9c4fa47b5bbd7f39c08b68b79

SHA512
35c767a8022bab81879d51b0d6731176555fbd6a3ce00d69826a059d15131fa1a9230b706f866f7759a3b646fb1a404fa2197ff7dba5dc35a898216cb5f6a9c3

Download Submit
memory/2052-20-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-17-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2052-16-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-23-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-18-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/3056-19-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-21-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/3056-22-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-24-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-25-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/3056-26-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download