Malware Analysis Report

2024-07-11 07:30

Sample ID 221026-2d36bahedp
Target 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
Tags
diamondfox botnet evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f

Threat Level: Known bad

The file 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet evasion persistence stealer trojan

Windows security bypass

UAC bypass

DiamondFox

Executes dropped EXE

Drops startup file

Loads dropped DLL

Windows security modification

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Enumerates physical storage devices

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-10-26 22:28

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-26 22:28

Reported

2022-10-26 22:38

Platform

win10v2004-20220812-en

Max time kernel

504s

Max time network

507s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe"

Signatures

DiamondFox

botnet stealer diamondfox

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\run C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\\explorer.exe" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Enumerates physical storage devices

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe

"C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe"

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\F85A6F0F.cmd

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 someexampledomain.com udp
NL 104.80.225.205:443 tcp
FR 40.79.150.121:443 tcp
US 93.184.220.29:80 tcp

Files

memory/2152-134-0x0000000000400000-0x000000000041016C-memory.dmp

memory/3444-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

memory/1476-140-0x0000000000000000-mapping.dmp

memory/2152-141-0x0000000000400000-0x000000000041016C-memory.dmp

memory/3444-142-0x0000000000400000-0x000000000041016C-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F85A6F0F.cmd

MD5 1a31794a138f978e14ed2de5a859f275
SHA1 53eaf941b22000b8b750eab91be2d6ffd844dadf
SHA256 7f5769551cbf84869763cc0be273a69a6a68b1eccf87a6b1d3cdee8cf329739c
SHA512 3e3d20cffee71268b9f5fac283b680707ee6bf1e8c683ef40886ffd03c9ebfb9eb75784d406b84a19f773c51ff2592d3ba61b0f0a40cdb3409a14340a4ea7c0a

memory/3444-144-0x0000000000400000-0x000000000041016C-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-26 22:28

Reported

2022-10-26 22:38

Platform

win7-20220812-en

Max time kernel

410s

Max time network

414s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe"

Signatures

DiamondFox

botnet stealer diamondfox

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\\explorer.exe" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\run C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe
PID 1488 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe
PID 1488 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe
PID 1488 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe
PID 1488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe

"C:\Users\Admin\AppData\Local\Temp\7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f.exe"

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\53FB11B8.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 someexampledomain.com udp

Files

memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

memory/1488-57-0x0000000000400000-0x000000000041016C-memory.dmp

\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

memory/1632-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

C:\Users\Admin\AppData\Roaming\lpt9.{2227A280-3AEA-1069-A2DE-08002B30309D}\explorer.exe

MD5 8f77d92060389f5733905710714556ce
SHA1 f817bbd59241f5dd732259784c2fabff78d1dfde
SHA256 7a1833f7b91269b9f0eb48f9bba3db9cc444f749d82255322e1f8e221612895f
SHA512 313e5b16ac7d556a74d19b2610f5e811694c1a660a460604afe5272f416fb1f7f2d04cea173dc9f2ce392e42101225fa0850f03ceaf46616d52347c96097468a

memory/908-66-0x0000000000000000-mapping.dmp

memory/1488-67-0x0000000000400000-0x000000000041016C-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53FB11B8.cmd

MD5 1483a8bc0828df6a136512ba68c16b23
SHA1 d479cfde522d061003a3584bb31f22d308af3056
SHA256 58197dafb7fe28a8200e2db57a63c557aa8a6828ed4378610baa32509f40d687
SHA512 078b0a4d92f19078f1394019622ce6e06b8b68096d398f91bf7345ea1a00bef36c71d70cb58d6b0cf94b413cb30b351d79f3db3eee1478656584fc108c2da6ec

memory/1632-69-0x0000000000400000-0x000000000041016C-memory.dmp

memory/1632-70-0x0000000000400000-0x000000000041016C-memory.dmp