Malware Analysis Report

2024-07-11 07:30

Sample ID 220701-rmjg6ahdd6
Target 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
Tags
diamondfox botnet infostealer stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248

Threat Level: Known bad

The file 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer upx

DiamondFox

DiamondFox payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-01 14:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 14:18

Reported

2022-07-01 14:46

Platform

win7-20220414-en

Max time kernel

144s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
US 8.8.8.8:53 rusav2.icu udp
US 8.8.8.8:53 rusav3.icu udp

Files

memory/108-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

memory/108-55-0x0000000000400000-0x000000000049C000-memory.dmp

memory/108-56-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2024-57-0x0000000000000000-mapping.dmp

memory/108-58-0x00000000002B0000-0x00000000002C5000-memory.dmp

memory/108-59-0x0000000000400000-0x000000000049C000-memory.dmp

memory/108-63-0x0000000000400000-0x000000000049C000-memory.dmp

\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/920-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/108-68-0x0000000000400000-0x000000000049C000-memory.dmp

memory/920-69-0x0000000000400000-0x000000000049C000-memory.dmp

memory/920-70-0x0000000000400000-0x000000000049C000-memory.dmp

memory/920-74-0x0000000000400000-0x000000000049C000-memory.dmp

memory/920-75-0x0000000000400000-0x000000000049C000-memory.dmp

memory/920-76-0x0000000000400000-0x000000000049C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 14:18

Reported

2022-07-01 14:46

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
NL 20.190.160.9:443 tcp
US 93.184.220.29:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
GB 51.104.15.253:443 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 93.184.220.29:80 tcp
NL 20.190.160.135:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 40.126.32.67:443 tcp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
NL 8.238.24.126:80 tcp
US 8.252.117.126:80 tcp
NL 40.126.32.73:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 rusav2.icu udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp

Files

memory/3932-130-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3932-131-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4228-132-0x0000000000000000-mapping.dmp

memory/3932-133-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3932-137-0x0000000000A70000-0x0000000000CF1000-memory.dmp

memory/3932-138-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/3932-142-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-143-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-144-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-145-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-149-0x0000000002760000-0x0000000002775000-memory.dmp

memory/5112-150-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5112-151-0x0000000000400000-0x000000000049C000-memory.dmp