Overview

overview

10

Static

static

URLScan

urlscan

http://148.163.12.10...

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-11-2020 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://148.163.12.101/WMndFrdk?keyword=Other&cost=0.00100&ad_campaign_id=262704&source=145866

  • Sample

    201108-nh22zk7ppj

Score
10/10
diamondfoxbootkitbotnetpersistencestealer

Malware Config

Extracted

Family

diamondfox

C2

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php
Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://148.163.12.101/WMndFrdk?keyword=Other&cost=0.00100&ad_campaign_id=262704&source=145866
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3812 CREDAT:82945 /prefetch:2
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\dllhost.exe
        "C:\Windows\system32\dllhost.exe"
        3⤵
        • Checks BIOS information in registry
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Users\Admin\AppData\Roaming\setup.exe
          "C:\Users\Admin\AppData\Roaming\setup.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Copy-Item -Path 'C:\Users\Admin\AppData\Roaming\setup.exe' -Destination 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3ac
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
    MD5

    a40a185f9f558724168245e93782667f

    SHA1

    fc0297bc92b275afe9320da4114469d70d0fbfc6

    SHA256

    4abde2b21db9bf4c24f8b241ee7ecab6744a5644f7f6b6ee2a3e0b0e4ffe432e

    SHA512

    26369bfcd56c8ad1664accef4d48dcf3ec0d405d19df2d01cc6e409a26305691bc65cd86e047d6a91268c5bf591cb2825266585aed701273fec6c9f7eedade8a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    a0c055f33d1075d1399388fa891c49d3

    SHA1

    b454cda0134375bc26e94e536515b02aeb8dc17c

    SHA256

    c0c37bbe273f349da77cd97f7d2338134532ff1f3fd61d7a4a90f810084385d0

    SHA512

    7ee8616b77f67ecca73186c05967a047c9ae41e93d9b36adc7d232ee7fd881c4b89e1d09e8f254eb856c15264e2c40dedebc98fcb55423be581b1776f19815a6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
    MD5

    e191570a4b8e94a5093176772a4085bf

    SHA1

    a1ab117d59bce9c46cf0cce7876d8a52df041b02

    SHA256

    524bb6ef6bf98646885dc2f6295bbe8130c0593c572a64adfc804bf69fbc0b19

    SHA512

    16ca6c2d867c9d0914d2ec075cd05b10b242635b299dae01f8efefdead84bcc793af13f0c22f8764da42b09e968f0c37d5a5dab0fc115ec9253a354a84e45b98

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    223de147adca5c44ed321c55e21cc111

    SHA1

    15bfa4fcb7ea522cddb4569314d0727a3b4f99ab

    SHA256

    e16366a91972c10002b01c6b752a5e87026cb6fd9bf3d1617b11785ae462e34d

    SHA512

    7e588781e4764c8093a564b70a61e5848c7474dd59695865f62f2bf98dfa1a4bd3364ab1b80735a202b03f82da66fb535b895f4cecf56d40a61afc9a85b23020

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9W8W6K9Q.cookie
    MD5

    ff30e0f184120df6e93294aa3fe16b96

    SHA1

    acbe9b24399d29172433b64eacba8889c24a9ca8

    SHA256

    3a82c41593a4928a5a1c0c89864c0eddff46e7d4dd37ac0998fbc16f4bf6c909

    SHA512

    3ec578e760d56fd5253cbe770f11cbeebe58f9516ab77c505d5a609950b5beb3ac4278f30a8629f352dc8498696e5900909f4229ef52f78488f587359ba4ccdb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q8IG7U4T.cookie
    MD5

    e05c89cc655f1170d46fd6d8313bc150

    SHA1

    3856f1dd45a1ae8d7e97bcd4e9e59ee48fe5944a

    SHA256

    a52ff42f0e1527208cc3b46a0a8f5d1c52b675c2020a702d1d70beb78e2ab024

    SHA512

    d73eb2e6c71970ecf1092043a22e3fbc4d981f110bf1d7edf5ce2cbe9e89e05fe259e13f43019a103566f3e39c7dd3365830fb846b721acfffe3a381c45855cc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\setup.exe
    MD5

    1d5b46ff3cd12fd31362557299d6f488

    SHA1

    42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

    SHA256

    2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

    SHA512

    4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

    Download Submit
  • C:\Users\Admin\AppData\Roaming\setup.exe
    MD5

    1d5b46ff3cd12fd31362557299d6f488

    SHA1

    42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

    SHA256

    2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

    SHA512

    4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

    Download Submit
  • memory/776-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3496-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3556-0-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-15-0x000000006BFC0000-0x000000006C6AE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4028-21-0x0000000007B30000-0x0000000007B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-16-0x0000000004750000-0x0000000004751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-17-0x0000000007320000-0x0000000007321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-18-0x00000000070F0000-0x00000000070F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-19-0x0000000007AC0000-0x0000000007AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-20-0x0000000007290000-0x0000000007291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-14-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-22-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-23-0x00000000083F0000-0x00000000083F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-24-0x0000000008280000-0x0000000008281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-25-0x0000000009030000-0x0000000009031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-26-0x0000000008F60000-0x0000000008F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-27-0x0000000008FC0000-0x0000000008FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-28-0x0000000009870000-0x0000000009871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-29-0x000000000A3F0000-0x000000000A3F1000-memory.dmp
    Filesize

    4KB

    Download