Malware Analysis Report

2024-07-11 07:30

Sample ID 230129-yd3m1abb96
Target c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769

Threat Level: Known bad

The file c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win7-20220901-en

Max time kernel

87s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe

"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

Network

Country Destination Domain Proto
N/A 185.193.88.150:80 tcp
N/A 185.193.88.150:80 tcp

Files

memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

memory/1300-55-0x000000000094A000-0x0000000000968000-memory.dmp

memory/1300-56-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1300-57-0x0000000000400000-0x000000000083B000-memory.dmp

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

memory/980-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

memory/1300-62-0x000000000094A000-0x0000000000968000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

memory/980-64-0x000000000094A000-0x0000000000968000-memory.dmp

memory/980-65-0x0000000000400000-0x000000000083B000-memory.dmp

memory/980-66-0x000000000094A000-0x0000000000968000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

memory/980-69-0x000000000094A000-0x0000000000968000-memory.dmp

memory/980-70-0x0000000000400000-0x000000000083B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe

"C:\Users\Admin\AppData\Local\Temp\c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4636 -ip 4636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1352

Network

Country Destination Domain Proto
N/A 185.193.88.150:80 tcp
N/A 52.168.117.170:443 tcp
N/A 8.252.51.254:80 tcp
N/A 8.253.183.120:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 209.197.3.8:80 tcp
N/A 13.107.21.200:443 tcp

Files

memory/4636-132-0x0000000000AC7000-0x0000000000AE5000-memory.dmp

memory/4636-133-0x0000000000CB0000-0x0000000000CE3000-memory.dmp

memory/4636-134-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4408-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f792fde5cbdc10687e9858778866e89d
SHA1 9e3ec7dbc7b14607fbd9308f66307a36a41024db
SHA256 c481825776c06d28a2e1797c6b48d86b84132274f5c91f5a7f27f959a28d6769
SHA512 bde3691e128e79067ae8fbe554b3181895947a24b5f016fd989ad6e8d3eaa6ae083e8c19e78bd70776c6411b80406b20f64a2ac3125783fb3be4f86b727e4475

memory/4408-138-0x0000000000936000-0x0000000000954000-memory.dmp

memory/4408-139-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4636-140-0x0000000000AC7000-0x0000000000AE5000-memory.dmp

memory/4408-141-0x0000000000936000-0x0000000000954000-memory.dmp

memory/4408-142-0x0000000000936000-0x0000000000954000-memory.dmp

memory/4408-143-0x0000000000400000-0x000000000083B000-memory.dmp