Malware Analysis Report

2024-07-11 07:30

Sample ID 220708-ldql8abcbl
Target 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
Tags
diamondfox botnet evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d

Threat Level: Known bad

The file 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet evasion persistence stealer trojan

UAC bypass

DiamondFox

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Deletes itself

Windows security modification

Drops startup file

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-08 09:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 09:25

Reported

2022-07-08 16:55

Platform

win7-20220414-en

Max time kernel

39s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"

Signatures

DiamondFox

botnet stealer diamondfox

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\run C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\atiedxx = "C:\\Users\\Admin\\AppData\\Roaming\\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\\atiedxx.exe" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
PID 1640 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
PID 1640 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
PID 1640 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 doneittz.biz udp

Files

memory/1640-54-0x0000000076241000-0x0000000076243000-memory.dmp

memory/1640-57-0x0000000000400000-0x0000000000411000-memory.dmp

\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

memory/1756-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

memory/1804-66-0x0000000000000000-mapping.dmp

memory/1640-67-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\885F6E69.cmd

MD5 ca1ffe0fe322c68b060817133ecb3f46
SHA1 0e328bd94191464aec57a93809031ff42f88edba
SHA256 6bbef442aced4b121ea186e0263b535d41a1c5d524532b586f7ed3c76cd82c31
SHA512 8e31736d2a15ed31752f35225bddb8551199667a3ac143342f259b0c729a3d94ff496fc3984d5d6c3a78e97ca04d86250b16c4e9b86e1c32667782820b939149

memory/1756-69-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-70-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-71-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-08 09:25

Reported

2022-07-08 16:54

Platform

win10v2004-20220414-en

Max time kernel

116s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"

Signatures

DiamondFox

botnet stealer diamondfox

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\run C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atiedxx = "C:\\Users\\Admin\\AppData\\Roaming\\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\\atiedxx.exe" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Enumerates physical storage devices

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe

"C:\Users\Admin\AppData\Local\Temp\40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d.exe"

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0B991030.cmd

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 doneittz.biz udp
US 20.44.10.122:443 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp

Files

memory/4512-132-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3764-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

C:\Users\Admin\AppData\Roaming\lpt1.{1D2680C9-0E2A-469d-B787-065558BC7D43}\atiedxx.exe

MD5 2878d36d310c8195df391ca5b4dc4a18
SHA1 7f6c436cde7e133abe38c99a9a2ecbccbe9c6c0a
SHA256 40cd3ee8561842ec1780e81a6833f17dab2189f2cd6885f3d8291106508a019d
SHA512 47cdab2668ba96606c784ccb68ba9ae0f03488db4b9d17a51aa9f1a176e8daf06fca7c2c2ba474b5d140a05221eb27d9cc7670ed149b4b41a5d31a3e3ec3a3a3

memory/4488-138-0x0000000000000000-mapping.dmp

memory/4512-139-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0B991030.cmd

MD5 b9b4a55a76f698ac1f701a7d6ae4c6bf
SHA1 039f33d7597d31dd9ff5d680054b021a19dbc41c
SHA256 c12ecbf7ca96f3ec39bc940bb889554cf33a51ffc5e8fa52aab59eee16685adf
SHA512 9316006d42e9f06d9f3b6f9d492605db2cd0d92d83b7e50d9bb93030890cf15c2835bbe6b122e5fa4b01a095f877c9b5526ea3925df069a0208e96a3e166cd7f

memory/3764-141-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3764-142-0x0000000000400000-0x0000000000411000-memory.dmp