diamondfox | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

General

Target

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
Size

90KB
MD5

387fd80a5602adc3dd4b2d0197a289de
SHA1

b903356e121f997a49759b306533a7ee8880b13b
SHA256

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512

3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Score

10^/10

diamondfox botnet stealer

Malware Config

Extracted

Family

diamondfox

C2

http://dong7707.at/spt/gate.php

Mutex

YxgnVQE8PlVLcflLlW4ai9xmX2DERyF4

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/files/0x000500000001a50e-24.dat	diamondfox
behavioral1/files/0x000500000001a50e-23.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
3392	spoolsv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
644	powershell.exe
644	powershell.exe
644	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
3392	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	79
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	79
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	79
PID 644 wrote to memory of 3392	644	powershell.exe	81
PID 644 wrote to memory of 3392	644	powershell.exe	81
PID 644 wrote to memory of 3392	644	powershell.exe	81
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	82
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	82
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	82

C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    "C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()
      4⤵
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-20-0x0000000009FC0000-0x0000000009FC1000-memory.dmp

Filesize
4KB

Download
memory/644-18-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/644-11-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/644-12-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/644-13-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/644-14-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/644-15-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/644-16-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/644-17-0x0000000009A00000-0x0000000009A01000-memory.dmp

Filesize
4KB

Download
memory/644-10-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/644-19-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/644-21-0x000000000AB40000-0x000000000AB41000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/644-9-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/644-8-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/644-27-0x0000000007403000-0x0000000007404000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3192-30-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/3192-36-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/3192-37-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3192-38-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/3192-41-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/3192-46-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing