Overview

overview

10

Static

static

7b2944122a...60.exe

windows7_x64

10

7b2944122a...60.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-03-2021 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe

  • Size

    154KB

  • MD5

    97f7bbf2f5861692617d661758bcf35b

  • SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

  • SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

  • SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe
    "C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
        "C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    MD5

    97f7bbf2f5861692617d661758bcf35b

    SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

    SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

    SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    73dcafa56c27022390c33867599c2eba

    SHA1

    4874f3adb6e75220696f1ce7ee8cbd8cd794ef0f

    SHA256

    f637eabef3d4e69674b6fe9b645ecd338743d4d06db462db0729d1401791f7c3

    SHA512

    a7a8733f61b6c3a7fb437f7094cb5aa0479c0d0d961f907fd31707e755841987730fafdcea7cdbbd7c8397ce755453c94d627469701491121f1e94a908899a83

    Download Submit
  • \Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    MD5

    97f7bbf2f5861692617d661758bcf35b

    SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

    SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

    SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

    Download Submit
  • \Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    MD5

    97f7bbf2f5861692617d661758bcf35b

    SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

    SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

    SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

    Download Submit
  • memory/924-47-0x0000000073850000-0x0000000073F3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/924-48-0x0000000000590000-0x0000000000591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/924-49-0x0000000004890000-0x0000000004891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/924-50-0x0000000004850000-0x0000000004851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/924-44-0x0000000000000000-mapping.dmp
    Download
  • memory/924-51-0x0000000004852000-0x0000000004853000-memory.dmp
    Filesize

    4KB

    Download
  • memory/924-52-0x0000000002670000-0x0000000002671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/952-38-0x0000000004D60000-0x0000000004D71000-memory.dmp
    Filesize

    68KB

    Download
  • memory/952-36-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-11-0x00000000048B0000-0x00000000048B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-13-0x0000000004872000-0x0000000004873000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-31-0x0000000006200000-0x0000000006201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-32-0x00000000064D0000-0x00000000064D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-33-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-23-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-18-0x0000000005620000-0x0000000005621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-15-0x0000000004750000-0x0000000004751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-14-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-24-0x0000000006120000-0x0000000006121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-12-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-10-0x00000000009C0000-0x00000000009C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-9-0x00000000745C0000-0x0000000074CAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1512-8-0x0000000076341000-0x0000000076343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-2-0x0000000004C30000-0x0000000004C41000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1632-6-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1632-5-0x0000000000220000-0x0000000000238000-memory.dmp
    Filesize

    96KB

    Download