Malware Analysis Report

2024-07-11 07:31

Sample ID 230129-yd39jacf6z
Target 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a

Threat Level: Known bad

The file 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe

"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1336

Network

Country Destination Domain Proto
N/A 95.101.78.106:80 tcp
N/A 185.193.88.150:80 tcp
N/A 93.184.220.29:80 tcp
N/A 20.44.10.122:443 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
N/A 104.80.225.205:443 tcp

Files

memory/4808-132-0x0000000000BA7000-0x0000000000BC5000-memory.dmp

memory/4808-133-0x0000000000950000-0x0000000000983000-memory.dmp

memory/4808-134-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1428-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

memory/1428-138-0x0000000000906000-0x0000000000924000-memory.dmp

memory/1428-139-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4808-140-0x0000000000BA7000-0x0000000000BC5000-memory.dmp

memory/1428-141-0x0000000000906000-0x0000000000924000-memory.dmp

memory/1428-142-0x0000000000906000-0x0000000000924000-memory.dmp

memory/1428-143-0x0000000000400000-0x000000000083B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win7-20220901-en

Max time kernel

91s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe

"C:\Users\Admin\AppData\Local\Temp\99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

Network

Country Destination Domain Proto
N/A 185.193.88.150:80 tcp
N/A 185.193.88.150:80 tcp

Files

memory/1496-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

memory/1496-56-0x0000000000840000-0x0000000000873000-memory.dmp

memory/1496-55-0x00000000002AA000-0x00000000002C8000-memory.dmp

memory/1496-57-0x0000000000400000-0x000000000083B000-memory.dmp

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

memory/276-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

memory/1496-62-0x00000000002AA000-0x00000000002C8000-memory.dmp

memory/276-64-0x00000000009EA000-0x0000000000A08000-memory.dmp

memory/276-65-0x0000000000400000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 16ee0affd90564a4bc174144b100af1b
SHA1 218c7b919ce938ab78afa6979895250f1f1cdea8
SHA256 99dc3fa5b1eb7771475721fbfb981615126ccb11e51bd0f8375735f1eedf9d7a
SHA512 856970fa108ed79d21d786416c7177c9d4d9ea3a87f8863a18406d32e7cceca7b1cd73013467e995d3f634bd46688a096393160205750ad2345a998225d533a3

memory/276-68-0x00000000009EA000-0x0000000000A08000-memory.dmp

memory/276-69-0x0000000000400000-0x000000000083B000-memory.dmp