Analysis
-
max time kernel
221s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:06
Static task
static1
Behavioral task
behavioral1
Sample
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Resource
win10v2004-20220721-en
General
-
Target
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
-
Size
569KB
-
MD5
1da9a3e209139bef422041960aba6464
-
SHA1
00f40230e43aeabb7ef3fb3332a29b59e95e24f9
-
SHA256
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
-
SHA512
f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral2/memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp diamondfox behavioral2/memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp diamondfox behavioral2/memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 4800 lsass.exe -
resource yara_rule behavioral2/memory/4420-132-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/4800-142-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 lsass.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 lsass.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 4800 lsass.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4420 wrote to memory of 3420 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 82 PID 4420 wrote to memory of 3420 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 82 PID 4420 wrote to memory of 4800 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 83 PID 4420 wrote to memory of 4800 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 83 PID 4420 wrote to memory of 4800 4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"1⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3420
-
-
C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 02⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD51da9a3e209139bef422041960aba6464
SHA100f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23
-
Filesize
569KB
MD51da9a3e209139bef422041960aba6464
SHA100f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23