Malware Analysis Report

2024-07-11 07:31

Sample ID 220731-frpn7ahed9
Target aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA256 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
Tags
diamondfox botnet infostealer stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9

Threat Level: Known bad

The file aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer upx

DiamondFox

DiamondFox payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-31 05:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 05:06

Reported

2022-07-31 07:28

Platform

win7-20220715-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
NL 2.21.41.70:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
US 8.8.8.8:53 rusav2.icu udp
US 8.8.8.8:53 rusav3.icu udp

Files

memory/1992-54-0x0000000076291000-0x0000000076293000-memory.dmp

memory/1992-55-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1952-56-0x0000000000000000-mapping.dmp

memory/1992-57-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1992-60-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1992-61-0x0000000000400000-0x0000000000494000-memory.dmp

\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 1da9a3e209139bef422041960aba6464
SHA1 00f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512 f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

memory/1244-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 1da9a3e209139bef422041960aba6464
SHA1 00f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512 f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

memory/1992-68-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1244-69-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1244-73-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1244-74-0x0000000000400000-0x0000000000494000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 05:06

Reported

2022-07-31 07:29

Platform

win10v2004-20220721-en

Max time kernel

221s

Max time network

235s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe

"C:\Users\Admin\AppData\Local\Temp\aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.9:443 tcp
US 93.184.221.240:80 tcp
US 8.247.211.254:80 tcp
NL 20.31.108.18:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 2.21.41.70:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
US 8.8.8.8:53 rusav2.icu udp
US 8.8.8.8:53 rusav3.icu udp
US 8.8.8.8:53 rusav4.icu udp

Files

memory/4420-130-0x0000000000400000-0x0000000000494000-memory.dmp

memory/3420-131-0x0000000000000000-mapping.dmp

memory/4420-132-0x0000000000400000-0x0000000000494000-memory.dmp

memory/4800-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 1da9a3e209139bef422041960aba6464
SHA1 00f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512 f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

memory/4800-140-0x0000000000400000-0x0000000000494000-memory.dmp

memory/4420-139-0x0000000000A80000-0x0000000000A95000-memory.dmp

memory/4420-141-0x0000000000400000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 1da9a3e209139bef422041960aba6464
SHA1 00f40230e43aeabb7ef3fb3332a29b59e95e24f9
SHA256 aee8df317acf19c8b0645de2ad4595d85281eeaeaf5b9b8f8786c647f8365de9
SHA512 f9d8c905ff143dac5b95be12afd21698795211a639b2977fa0f993221bf2ee86cc1eb8253433dda8e70c58ee559b92d094c75d8750cfa7ed7e1f7316b8621f23

memory/4800-142-0x0000000000400000-0x0000000000494000-memory.dmp

memory/4800-146-0x0000000000400000-0x0000000000494000-memory.dmp

memory/4800-147-0x0000000000400000-0x0000000000494000-memory.dmp