diamondfox | aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9

General

Target

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Size

569KB
MD5

1da9a3e209139bef422041960aba6464
SHA1

00f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512

f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

Score

10^/10

diamondfox botnet infostealer stealer upx

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp	diamondfox
behavioral2/memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp	diamondfox
behavioral2/memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

4800 lsass.exe

pid	process
4800	lsass.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4420-132-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4800-142-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	lsass.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	lsass.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exelsass.exe

pid process

4420 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
4800 lsass.exe

pid	process
4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
4800	lsass.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

description	pid	process	target process
PID 4420 wrote to memory of 3420	4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe	splwow64.exe
PID 4420 wrote to memory of 3420	4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe	splwow64.exe
PID 4420 wrote to memory of 4800	4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe	lsass.exe
PID 4420 wrote to memory of 4800	4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe	lsass.exe
PID 4420 wrote to memory of 4800	4420	aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe
"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"
1⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3420
- C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe
  "C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

Filesize
569KB

MD5
1da9a3e209139bef422041960aba6464

SHA1
00f40230e43aeabb7ef3fb3332a29b59e95e24f9

SHA256
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9

SHA512
f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

Download Submit
C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

Filesize
569KB

MD5
1da9a3e209139bef422041960aba6464

SHA1
00f40230e43aeabb7ef3fb3332a29b59e95e24f9

SHA256
aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9

SHA512
f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

Download Submit
memory/3420-131-0x0000000000000000-mapping.dmp

Download
memory/4420-130-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4420-132-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4420-139-0x0000000000A80000-0x0000000000A95000-memory.dmp

Filesize
84KB

Download
memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4800-136-0x0000000000000000-mapping.dmp

Download
memory/4800-140-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4800-142-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads