Malware Analysis Report

2024-07-11 07:32

Sample ID 230829-chmlpacd6v
Target d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.zip
SHA256 7065e6eec89b53663d4d4544faf89b95d45090d484c83a3615edee72c4b252ea
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7065e6eec89b53663d4d4544faf89b95d45090d484c83a3615edee72c4b252ea

Threat Level: Known bad

The file d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.zip was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-29 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-29 02:04

Reported

2023-08-29 02:07

Platform

win10v2004-20230703-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe

"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd" 0"

C:\Windows\SysWOW64\PING.EXE

ping -n 4 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 184.110.73.100.in-addr.arpa udp
US 8.8.8.8:53 43.85.93.100.in-addr.arpa udp
US 8.8.8.8:53 20.95.95.100.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.70.169.48:80 www.microsoft.com tcp
US 8.8.8.8:53 pecunia110011.at udp
N/A 100.119.167.179:80 pecunia110011.at tcp
US 8.8.8.8:53 48.169.70.100.in-addr.arpa udp
US 8.8.8.8:53 179.167.119.100.in-addr.arpa udp
US 8.8.8.8:53 207.94.120.100.in-addr.arpa udp
US 8.8.8.8:53 195.174.87.100.in-addr.arpa udp
US 8.8.8.8:53 55.253.67.100.in-addr.arpa udp

Files

memory/552-0-0x0000000000400000-0x000000000041F010-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

memory/552-17-0x0000000000400000-0x000000000041F010-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd

MD5 fedbb09e49ac354abe2d95d8bdab7038
SHA1 e0fc3b669913b554f738b8d245d3163a324e0011
SHA256 9e0ea4be485888c06070082ede563bc87e40f52082c7b65491cd8d41eb1fc2bb
SHA512 7e2ddf81fde5273359a4814b3de5f5b872a8e0d88f631fac3dd918c112a84706ddf79d6e691ff06bcf942b68953fbe16e05389e07a8ef0a3c8bb7be0947bde5e

memory/232-19-0x0000000000400000-0x000000000041F010-memory.dmp

memory/232-22-0x0000000000400000-0x000000000041F010-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-29 02:04

Reported

2023-08-29 02:07

Platform

win7-20230824-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
PID 1136 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
PID 1136 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
PID 1136 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
PID 1136 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe

"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd" 0"

C:\Windows\SysWOW64\PING.EXE

ping -n 4 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.84.127.69:80 www.microsoft.com tcp
US 8.8.8.8:53 pecunia110011.at udp
N/A 100.127.103.118:80 pecunia110011.at tcp

Files

memory/1136-0-0x0000000000400000-0x000000000041F010-memory.dmp

\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd

MD5 f07ec6af99fa82ea3353804ce368209d
SHA1 04287a3c2cb8542c6d7ddf49289b7db2e9df3215
SHA256 e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97
SHA512 26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0

memory/1136-12-0x0000000001E40000-0x0000000001E60000-memory.dmp

\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

MD5 5eb3277e4b057015e82ecf8b7d4d201d
SHA1 25abcee80291edf1092d146bd233854ba7e205b7
SHA256 d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

memory/1136-24-0x0000000000400000-0x000000000041F010-memory.dmp

C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd

MD5 f07ec6af99fa82ea3353804ce368209d
SHA1 04287a3c2cb8542c6d7ddf49289b7db2e9df3215
SHA256 e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97
SHA512 26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0

memory/1964-26-0x0000000000400000-0x000000000041F010-memory.dmp

memory/1964-30-0x0000000000400000-0x000000000041F010-memory.dmp