Malware Analysis Report

2024-07-11 07:31

Sample ID 221229-2zqr4shf6x
Target tune.bin
SHA256 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5

Threat Level: Known bad

The file tune.bin was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-12-29 23:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-29 23:01

Reported

2022-12-29 23:03

Platform

win7-20220812-en

Max time kernel

51s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tune.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wininit\wininit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tune.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tune.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tune.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wininit\wininit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tune.exe

"C:\Users\Admin\AppData\Local\Temp\tune.exe"

C:\Users\Admin\AppData\Roaming\wininit\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit\wininit.exe" 0

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd" 0"

C:\Windows\SysWOW64\PING.EXE

ping -n 4 127.0.0.1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x488

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 104.85.1.163:80 www.microsoft.com tcp
N/A 45.136.111.47:80 tcp
N/A 45.136.111.47:80 tcp

Files

memory/1996-54-0x00000000008B8000-0x00000000008C2000-memory.dmp

memory/1996-57-0x0000000075281000-0x0000000075283000-memory.dmp

\Users\Admin\AppData\Roaming\wininit\wininit.exe

MD5 c003231a632fa9d74620c52d22ffb140
SHA1 ec2c2f3f38a3bf00b67ba53413c3be94f50a7408
SHA256 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
SHA512 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

memory/1740-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\wininit\wininit.exe

MD5 c003231a632fa9d74620c52d22ffb140
SHA1 ec2c2f3f38a3bf00b67ba53413c3be94f50a7408
SHA256 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
SHA512 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

C:\Users\Admin\AppData\Roaming\wininit\wininit.exe

MD5 c003231a632fa9d74620c52d22ffb140
SHA1 ec2c2f3f38a3bf00b67ba53413c3be94f50a7408
SHA256 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
SHA512 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb

memory/1492-62-0x0000000000000000-mapping.dmp

memory/1996-64-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1996-63-0x00000000008B8000-0x00000000008C2000-memory.dmp

memory/1996-65-0x0000000000400000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd

MD5 126d0b01f5b4d121ef8383dae924dcd2
SHA1 964d6ff4588494561b3b90a390f62c4e065e2806
SHA256 700332cbee3e55cb091574bf8c0dfcfbf9aeb1cdea044ba97b74c4ced131f0fb
SHA512 a6878a08ea360601a0b8bff3f5ee97b746f044210a37860975b78e7580fac5817def3c353a21c5ddf2f5bceae4d67b6fd58758b6242f0233291205fdfd7e63c1

memory/820-67-0x0000000000000000-mapping.dmp

memory/1740-70-0x00000000002C9000-0x00000000002D2000-memory.dmp

memory/1740-71-0x0000000000400000-0x00000000007AC000-memory.dmp

memory/1740-73-0x00000000002C9000-0x00000000002D2000-memory.dmp

memory/1740-74-0x0000000000400000-0x00000000007AC000-memory.dmp