Analysis Overview
SHA256
a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
Threat Level: Known bad
The file a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Diamondfox family
DiamondFox payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-04 15:00
Signatures
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Diamondfox family
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-04 15:00
Reported
2021-03-04 15:03
Platform
win7v20201028
Max time kernel
133s
Max time network
132s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 95.100.186.52:80 | www.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dong7707.at | udp |
| N/A | 217.8.117.51:80 | dong7707.at | tcp |
Files
memory/2032-4-0x0000000000000000-mapping.dmp
memory/2032-5-0x00000000761E1000-0x00000000761E3000-memory.dmp
memory/2032-6-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/2032-7-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/2032-8-0x0000000004900000-0x0000000004901000-memory.dmp
memory/2032-9-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/2032-11-0x00000000048C2000-0x00000000048C3000-memory.dmp
memory/2032-10-0x00000000048C0000-0x00000000048C1000-memory.dmp
memory/2032-12-0x0000000005240000-0x0000000005241000-memory.dmp
memory/2032-15-0x0000000005700000-0x0000000005701000-memory.dmp
memory/2032-20-0x0000000005740000-0x0000000005741000-memory.dmp
memory/2032-21-0x0000000006130000-0x0000000006131000-memory.dmp
memory/2032-28-0x0000000006280000-0x0000000006281000-memory.dmp
memory/2032-29-0x00000000062D0000-0x00000000062D1000-memory.dmp
memory/2032-30-0x000000007EF30000-0x000000007EF31000-memory.dmp
\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
| MD5 | 387fd80a5602adc3dd4b2d0197a289de |
| SHA1 | b903356e121f997a49759b306533a7ee8880b13b |
| SHA256 | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc |
| SHA512 | 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e |
memory/672-33-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
| MD5 | 387fd80a5602adc3dd4b2d0197a289de |
| SHA1 | b903356e121f997a49759b306533a7ee8880b13b |
| SHA256 | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc |
| SHA512 | 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e |
\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
| MD5 | 387fd80a5602adc3dd4b2d0197a289de |
| SHA1 | b903356e121f997a49759b306533a7ee8880b13b |
| SHA256 | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc |
| SHA512 | 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e |
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-04 15:00
Reported
2021-03-04 15:03
Platform
win10v20201028
Max time kernel
150s
Max time network
110s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 95.100.186.52:80 | www.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dong7707.at | udp |
| N/A | 217.8.117.51:80 | dong7707.at | tcp |
Files
memory/2844-4-0x0000000000000000-mapping.dmp
memory/2844-5-0x0000000073A70000-0x000000007415E000-memory.dmp
memory/2844-6-0x00000000070D0000-0x00000000070D1000-memory.dmp
memory/2844-7-0x0000000007740000-0x0000000007741000-memory.dmp
memory/2844-9-0x00000000070C2000-0x00000000070C3000-memory.dmp
memory/2844-8-0x00000000070C0000-0x00000000070C1000-memory.dmp
memory/2844-10-0x0000000007DF0000-0x0000000007DF1000-memory.dmp
memory/2844-11-0x0000000007E90000-0x0000000007E91000-memory.dmp
memory/2844-12-0x0000000008070000-0x0000000008071000-memory.dmp
memory/2844-13-0x00000000080E0000-0x00000000080E1000-memory.dmp
memory/2844-14-0x0000000007400000-0x0000000007401000-memory.dmp
memory/2844-15-0x0000000008AC0000-0x0000000008AC1000-memory.dmp
memory/2844-16-0x00000000088B0000-0x00000000088B1000-memory.dmp
memory/2844-17-0x0000000009870000-0x0000000009871000-memory.dmp
memory/2844-18-0x0000000009550000-0x0000000009551000-memory.dmp
memory/2844-19-0x00000000097D0000-0x00000000097D1000-memory.dmp
memory/2844-20-0x0000000009E60000-0x0000000009E61000-memory.dmp
memory/2844-21-0x000000000A9E0000-0x000000000A9E1000-memory.dmp
memory/3116-22-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
| MD5 | 387fd80a5602adc3dd4b2d0197a289de |
| SHA1 | b903356e121f997a49759b306533a7ee8880b13b |
| SHA256 | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc |
| SHA512 | 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e |
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
| MD5 | 387fd80a5602adc3dd4b2d0197a289de |
| SHA1 | b903356e121f997a49759b306533a7ee8880b13b |
| SHA256 | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc |
| SHA512 | 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e |
memory/2844-27-0x00000000070C3000-0x00000000070C4000-memory.dmp
memory/1776-28-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | e71a0a7e48b10bde0a9c54387762f33e |
| SHA1 | fed75947f1163b00096e24a46e67d9c21e7eeebd |
| SHA256 | 83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de |
| SHA512 | 394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a |
memory/1776-30-0x0000000073C20000-0x000000007430E000-memory.dmp