Malware Analysis Report

2024-07-11 07:31

Sample ID 230129-yd4v3acf61
Target 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474

Threat Level: Known bad

The file 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Loads dropped DLL

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win7-20220812-en

Max time kernel

85s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe

"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

Network

Country Destination Domain Proto
N/A 176.111.174.247:80 tcp
N/A 176.111.174.247:80 tcp

Files

memory/580-54-0x0000000002BA8000-0x0000000002BC6000-memory.dmp

memory/580-55-0x0000000075931000-0x0000000075933000-memory.dmp

memory/580-56-0x0000000002BA8000-0x0000000002BC6000-memory.dmp

memory/580-57-0x00000000002C0000-0x00000000002F3000-memory.dmp

memory/580-58-0x0000000000400000-0x0000000002AF4000-memory.dmp

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

memory/996-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

memory/580-63-0x0000000002BA8000-0x0000000002BC6000-memory.dmp

memory/996-64-0x0000000002C18000-0x0000000002C36000-memory.dmp

memory/996-66-0x0000000002C18000-0x0000000002C36000-memory.dmp

memory/996-67-0x0000000000400000-0x0000000002AF4000-memory.dmp

memory/996-68-0x0000000002C18000-0x0000000002C36000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

memory/996-71-0x0000000002C18000-0x0000000002C36000-memory.dmp

memory/996-72-0x0000000000400000-0x0000000002AF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:41

Reported

2023-01-29 19:43

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe

"C:\Users\Admin\AppData\Local\Temp\0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474.exe"

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1336

Network

Country Destination Domain Proto
N/A 176.111.174.247:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.73.25:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 204.79.197.200:443 tcp

Files

memory/4344-132-0x0000000002DA3000-0x0000000002DC1000-memory.dmp

memory/4344-133-0x00000000001C0000-0x00000000001F3000-memory.dmp

memory/4344-134-0x0000000000400000-0x0000000002AF4000-memory.dmp

memory/632-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

MD5 f496c839f762140fc275be29a1307efe
SHA1 b60b56caef87f24d07db7313d2e90011b662cb68
SHA256 0aff63230dac9ca248ddcb00bb998cc318c93b9101365558c003c21a7fd5c474
SHA512 0a2c6052bbaf5b4bfbd310f73ab4d967956f3bb4cd37503a9ac58e2a181b6255864710565fd4be65f2302eaca5f5789e8993da8bd4687dc906485890e1e7e068

memory/632-138-0x0000000002B82000-0x0000000002BA0000-memory.dmp

memory/632-139-0x0000000002B00000-0x0000000002B33000-memory.dmp

memory/632-140-0x0000000000400000-0x0000000002AF4000-memory.dmp

memory/4344-141-0x0000000002DA3000-0x0000000002DC1000-memory.dmp

memory/632-142-0x0000000002B82000-0x0000000002BA0000-memory.dmp

memory/632-143-0x0000000000400000-0x0000000002AF4000-memory.dmp