Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03/03/2021, 16:40
General
-
Target
7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe
-
Size
154KB
-
MD5
97f7bbf2f5861692617d661758bcf35b
-
SHA1
d59a0e3d77e22523a2fb657f756adebc32452ee0
-
SHA256
7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660
-
SHA512
eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767
Score
10/10
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe"C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
104KB
-
Filesize
96KB