Analysis
-
max time kernel
54s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 11:29
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20240709-en
General
-
Target
loader.exe
-
Size
76KB
-
MD5
326c9824559847fb07129398ba61d8f6
-
SHA1
4fd07eca43b61b77767256d55aab05c413713866
-
SHA256
d465d2029b83316e613de8adbe16ea69fb561eecabb268781e038c216a2cb421
-
SHA512
eb69406130c2028258475af1f992f79151e1b797918bf71d73ff8fb2b9562bdc5114033177e4c31f5a1f52f8a613e7aaa5d7bee233a2e28146fe702c29192aac
-
SSDEEP
768:v7XINhXznVJ8CC1rBXdo0zekXUd3CdPJxB7mNmDZkUKMKZQbFTiKKAZTch:ShT8C+fuioHq1KEFoAS
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox stealer 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023436-5.dat diamondfox_stealer -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\Userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" loader.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2336 svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 32 loader.exe 2336 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 32 wrote to memory of 2336 32 loader.exe 84 PID 32 wrote to memory of 2336 32 loader.exe 84 PID 32 wrote to memory of 2336 32 loader.exe 84 PID 32 wrote to memory of 4624 32 loader.exe 86 PID 32 wrote to memory of 4624 32 loader.exe 86 PID 32 wrote to memory of 4624 32 loader.exe 86 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:32 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Windows security bypass
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Melt.bat2⤵PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD57abbe3deca090cdde3bb70d1a3911514
SHA13b8e9805acd2d0237c1d3ffdc38e6179d8ec117c
SHA256ad29ddad88528d39b0625d294c7de712f6a1dec8f413bbcacc7e4260ee37b11a
SHA5124d0bc3da270af878c1c5168900c45911551bc84b236d6d435ebcfcfc236786e2ed43a95a70cbf2a3b5fdea4ac1951a0991a1f7f7d7348e8f7074ffecfd96c55a
-
Filesize
76KB
MD5326c9824559847fb07129398ba61d8f6
SHA14fd07eca43b61b77767256d55aab05c413713866
SHA256d465d2029b83316e613de8adbe16ea69fb561eecabb268781e038c216a2cb421
SHA512eb69406130c2028258475af1f992f79151e1b797918bf71d73ff8fb2b9562bdc5114033177e4c31f5a1f52f8a613e7aaa5d7bee233a2e28146fe702c29192aac