Overview

overview

10

Static

static

10

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    76KB

  • MD5

    326c9824559847fb07129398ba61d8f6

  • SHA1

    4fd07eca43b61b77767256d55aab05c413713866

  • SHA256

    d465d2029b83316e613de8adbe16ea69fb561eecabb268781e038c216a2cb421

  • SHA512

    eb69406130c2028258475af1f992f79151e1b797918bf71d73ff8fb2b9562bdc5114033177e4c31f5a1f52f8a613e7aaa5d7bee233a2e28146fe702c29192aac

  • SSDEEP

    768:v7XINhXznVJ8CC1rBXdo0zekXUd3CdPJxB7mNmDZkUKMKZQbFTiKKAZTch:ShT8C+fuioHq1KEFoAS

Score
10/10
diamondfoxbotnetevasionpersistencestealertrojan

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox stealer 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2528
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Windows security bypass
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat
      2⤵
      • Deletes itself
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Melt.bat
    Filesize

    121B

    MD5

    7abbe3deca090cdde3bb70d1a3911514

    SHA1

    3b8e9805acd2d0237c1d3ffdc38e6179d8ec117c

    SHA256

    ad29ddad88528d39b0625d294c7de712f6a1dec8f413bbcacc7e4260ee37b11a

    SHA512

    4d0bc3da270af878c1c5168900c45911551bc84b236d6d435ebcfcfc236786e2ed43a95a70cbf2a3b5fdea4ac1951a0991a1f7f7d7348e8f7074ffecfd96c55a

    Download Submit

  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    76KB

    MD5

    326c9824559847fb07129398ba61d8f6

    SHA1

    4fd07eca43b61b77767256d55aab05c413713866

    SHA256

    d465d2029b83316e613de8adbe16ea69fb561eecabb268781e038c216a2cb421

    SHA512

    eb69406130c2028258475af1f992f79151e1b797918bf71d73ff8fb2b9562bdc5114033177e4c31f5a1f52f8a613e7aaa5d7bee233a2e28146fe702c29192aac

    Download Submit