diamondfox | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

General

Target

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
Size

90KB
MD5

387fd80a5602adc3dd4b2d0197a289de
SHA1

b903356e121f997a49759b306533a7ee8880b13b
SHA256

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512

3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Score

10^/10

diamondfox botnet stealer

Malware Config

Extracted

Family

diamondfox

C2

http://dong7707.at/spt/gate.php

Mutex

YxgnVQE8PlVLcflLlW4ai9xmX2DERyF4

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe	diamondfox
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe	diamondfox

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

3392 spoolsv.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

644 powershell.exe
644 powershell.exe
644 powershell.exe
3192 powershell.exe
3192 powershell.exe
3192 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 644 powershell.exe
Token: SeDebugPrivilege 3192 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exespoolsv.exe

pid process

1108 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
3392 spoolsv.exe

pid	process
3392	spoolsv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	powershell.exe

pid	process
644	powershell.exe
644	powershell.exe
644	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe

description	pid	process
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe

pid	process
1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
3392	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exepowershell.exespoolsv.exe

description	pid	process	target process
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	powershell.exe
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	powershell.exe
PID 1108 wrote to memory of 644	1108	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe	powershell.exe
PID 644 wrote to memory of 3392	644	powershell.exe	spoolsv.exe
PID 644 wrote to memory of 3392	644	powershell.exe	spoolsv.exe
PID 644 wrote to memory of 3392	644	powershell.exe	spoolsv.exe
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	powershell.exe
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	powershell.exe
PID 3392 wrote to memory of 3192	3392	spoolsv.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
02ecf4883dd0051044291e1b8aa2140f

SHA1
63724493243e1b1fd9e25a9d24eb6098b0cd390b

SHA256
ad17e99a97b700a8c288205069b62ae2f492ea41d79f038aef9413d46314362e

SHA512
b668afc3552acfb983a0448b7a267c7a5df372806272119e9f2ca6870045da993bf5f91d78ace2bf48c85824021044a77bbecfc8fe0e634eaba3cd2eba195bdd

Download Submit
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
MD5
387fd80a5602adc3dd4b2d0197a289de

SHA1
b903356e121f997a49759b306533a7ee8880b13b

SHA256
a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

SHA512
3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Download Submit
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
MD5
387fd80a5602adc3dd4b2d0197a289de

SHA1
b903356e121f997a49759b306533a7ee8880b13b

SHA256
a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

SHA512
3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Download Submit
memory/644-20-0x0000000009FC0000-0x0000000009FC1000-memory.dmp

Filesize
4KB

Download
memory/644-18-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/644-11-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/644-12-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/644-13-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/644-14-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/644-15-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/644-16-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/644-17-0x0000000009A00000-0x0000000009A01000-memory.dmp

Filesize
4KB

Download
memory/644-10-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/644-19-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/644-4-0x0000000000000000-mapping.dmp

Download
memory/644-21-0x000000000AB40000-0x000000000AB41000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/644-9-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/644-8-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/644-27-0x0000000007403000-0x0000000007404000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3192-30-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/3192-36-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/3192-37-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3192-38-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/3192-28-0x0000000000000000-mapping.dmp

Download
memory/3192-41-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/3192-46-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/3392-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing