Analysis Overview
SHA256
7065e6eec89b53663d4d4544faf89b95d45090d484c83a3615edee72c4b252ea
Threat Level: Known bad
The file d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.zip was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-08-29 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-29 02:04
Reported
2023-08-29 02:07
Platform
win10v2004-20230703-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd" 0"
C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 184.110.73.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.85.93.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.95.95.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 100.70.169.48:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | pecunia110011.at | udp |
| N/A | 100.119.167.179:80 | pecunia110011.at | tcp |
| US | 8.8.8.8:53 | 48.169.70.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.167.119.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.94.120.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.174.87.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.253.67.100.in-addr.arpa | udp |
Files
memory/552-0-0x0000000000400000-0x000000000041F010-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
memory/552-17-0x0000000000400000-0x000000000041F010-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9BCA9DC9E985.cmd
| MD5 | fedbb09e49ac354abe2d95d8bdab7038 |
| SHA1 | e0fc3b669913b554f738b8d245d3163a324e0011 |
| SHA256 | 9e0ea4be485888c06070082ede563bc87e40f52082c7b65491cd8d41eb1fc2bb |
| SHA512 | 7e2ddf81fde5273359a4814b3de5f5b872a8e0d88f631fac3dd918c112a84706ddf79d6e691ff06bcf942b68953fbe16e05389e07a8ef0a3c8bb7be0947bde5e |
memory/232-19-0x0000000000400000-0x000000000041F010-memory.dmp
memory/232-22-0x0000000000400000-0x000000000041F010-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-29 02:04
Reported
2023-08-29 02:07
Platform
win7-20230824-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
"C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd" 0"
C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 100.84.127.69:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | pecunia110011.at | udp |
| N/A | 100.127.103.118:80 | pecunia110011.at | tcp |
Files
memory/1136-0-0x0000000000400000-0x000000000041F010-memory.dmp
\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd
| MD5 | f07ec6af99fa82ea3353804ce368209d |
| SHA1 | 04287a3c2cb8542c6d7ddf49289b7db2e9df3215 |
| SHA256 | e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97 |
| SHA512 | 26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0 |
memory/1136-12-0x0000000001E40000-0x0000000001E60000-memory.dmp
\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
| MD5 | 5eb3277e4b057015e82ecf8b7d4d201d |
| SHA1 | 25abcee80291edf1092d146bd233854ba7e205b7 |
| SHA256 | d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc |
| SHA512 | 2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18 |
memory/1136-24-0x0000000000400000-0x000000000041F010-memory.dmp
C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd
| MD5 | f07ec6af99fa82ea3353804ce368209d |
| SHA1 | 04287a3c2cb8542c6d7ddf49289b7db2e9df3215 |
| SHA256 | e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97 |
| SHA512 | 26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0 |
memory/1964-26-0x0000000000400000-0x000000000041F010-memory.dmp
memory/1964-30-0x0000000000400000-0x000000000041F010-memory.dmp