Malware Analysis Report

2024-07-11 07:30

Sample ID 220520-w6jz9afadn
Target 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
SHA256 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

Threat Level: Known bad

The file 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 18:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 18:31

Reported

2022-05-20 18:34

Platform

win7-20220414-en

Max time kernel

41s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe

"C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe"

Network

N/A

Files

memory/1216-56-0x0000000000ADB000-0x0000000000AE7000-memory.dmp

memory/1216-57-0x0000000000220000-0x0000000000238000-memory.dmp

memory/1216-58-0x0000000000400000-0x000000000098D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 18:31

Reported

2022-05-20 18:34

Platform

win10v2004-20220414-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\gduaido\audiodg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe

"C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe' -Destination 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 496

C:\Users\Admin\AppData\Local\gduaido\audiodg.exe

"C:\Users\Admin\AppData\Local\gduaido\audiodg.exe"

Network

Country Destination Domain Proto
NL 20.190.160.132:443 tcp
US 93.184.221.240:80 tcp
NL 20.190.160.4:443 tcp
IE 20.50.80.210:443 tcp
NL 20.190.160.8:443 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 20.190.160.134:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
BR 2.16.233.156:80 www.microsoft.com tcp
US 8.8.8.8:53 conhost.pw udp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 msword-security.site udp
NL 20.190.160.129:443 tcp

Files

memory/4224-132-0x0000000000B69000-0x0000000000B75000-memory.dmp

memory/4224-133-0x0000000000B30000-0x0000000000B48000-memory.dmp

memory/4224-134-0x0000000000400000-0x000000000098D000-memory.dmp

memory/4136-135-0x0000000000000000-mapping.dmp

memory/4136-136-0x0000000003080000-0x00000000030B6000-memory.dmp

memory/4136-137-0x0000000005A80000-0x00000000060A8000-memory.dmp

memory/4136-138-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/4136-139-0x00000000060B0000-0x0000000006116000-memory.dmp

memory/4136-140-0x0000000006120000-0x0000000006186000-memory.dmp

memory/4136-141-0x0000000006990000-0x00000000069AE000-memory.dmp

memory/4136-143-0x0000000006E60000-0x0000000006E7A000-memory.dmp

memory/4136-142-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/4136-144-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

memory/4136-145-0x0000000007FC0000-0x0000000008564000-memory.dmp

memory/4136-146-0x0000000008BF0000-0x000000000926A000-memory.dmp

C:\Users\Admin\AppData\Local\gduaido\audiodg.exe

MD5 c8830b9e611ef52f5d4dcddee87c2ba1
SHA1 fc7f516a1cc9916405e1f15f0be2432b356efe86
SHA256 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
SHA512 dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

memory/4524-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\gduaido\audiodg.exe

MD5 c8830b9e611ef52f5d4dcddee87c2ba1
SHA1 fc7f516a1cc9916405e1f15f0be2432b356efe86
SHA256 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
SHA512 dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

memory/4524-152-0x0000000000B49000-0x0000000000B55000-memory.dmp

memory/4524-153-0x0000000000400000-0x000000000098D000-memory.dmp