Overview

overview

10

Static

static

7b2944122a...60.exe

windows7_x64

10

7b2944122a...60.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe

  • Size

    154KB

  • MD5

    97f7bbf2f5861692617d661758bcf35b

  • SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

  • SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

  • SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

Score
10/10
diamondfoxbotnetstealer

Malware Config

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe
    "C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
        "C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    e71a0a7e48b10bde0a9c54387762f33e

    SHA1

    fed75947f1163b00096e24a46e67d9c21e7eeebd

    SHA256

    83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

    SHA512

    394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    c2d06c11dd1f1a8b1dedc1a311ca8cdc

    SHA1

    75c07243f9cb80a9c7aed2865f9c5192cc920e7e

    SHA256

    91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

    SHA512

    db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c40e32d92f32e900e5ccf1a18b3e8778

    SHA1

    8a522b6b4fc85ec56c6f71da766080ed5f4fc1dd

    SHA256

    562da78eac2b3a1405ead479ac35a3197a27c733a61dbf2bc8528b06fd5f7a06

    SHA512

    9d0ec9de60a10865b6ef151bd8dfd5ccfd8e3fd17d5746513e23bd357b2d2885fd5fcdf8420b287e472cc7ea6c6cf44f1bef19aad665e86716f72c67aad5172f

    Download Submit
  • C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    MD5

    97f7bbf2f5861692617d661758bcf35b

    SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

    SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

    SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

    Download Submit
  • C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    MD5

    97f7bbf2f5861692617d661758bcf35b

    SHA1

    d59a0e3d77e22523a2fb657f756adebc32452ee0

    SHA256

    7b2944122a7d202bf76e409529d9e05d2caf327372715b2361fbc6ec7c2ac660

    SHA512

    eb8a846c2c16c3f405bf554ae715e915df680af0fd2901f427679a1cc5910ce5d2cb8e72c66ad2a6720093fde5c6156833aaa02655e5fd25a3e1b002251c7767

    Download Submit
  • memory/1336-13-0x0000000007270000-0x0000000007271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-24-0x000000000A580000-0x000000000A581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-11-0x0000000007010000-0x0000000007011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-12-0x0000000007012000-0x0000000007013000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1336-14-0x0000000007410000-0x0000000007411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-15-0x0000000007480000-0x0000000007481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-16-0x0000000007D80000-0x0000000007D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-17-0x0000000008110000-0x0000000008111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-18-0x0000000008510000-0x0000000008511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-19-0x0000000008460000-0x0000000008461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-20-0x0000000009450000-0x0000000009451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-21-0x00000000090D0000-0x00000000090D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-22-0x0000000009150000-0x0000000009151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-23-0x0000000009A00000-0x0000000009A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-10-0x0000000007650000-0x0000000007651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-28-0x0000000007013000-0x0000000007014000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-9-0x00000000048F0000-0x00000000048F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1336-8-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2428-25-0x0000000000000000-mapping.dmp
    Download
  • memory/2428-29-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2576-34-0x0000000000000000-mapping.dmp
    Download
  • memory/2576-36-0x0000000073A20000-0x000000007410E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2576-42-0x00000000080A0000-0x00000000080A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2576-43-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2576-44-0x0000000004C72000-0x0000000004C73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2576-47-0x00000000085B0000-0x00000000085B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2576-52-0x0000000004C73000-0x0000000004C74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3108-2-0x0000000005180000-0x0000000005181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3108-6-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3108-5-0x0000000004FB0000-0x0000000004FC8000-memory.dmp
    Filesize

    96KB

    Download