Malware Analysis Report

2024-07-11 07:32

Sample ID 210304-4rkckgcr1n
Target a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
Tags
diamondfox botnet stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

Threat Level: Known bad

The file a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet stealer

DiamondFox

DiamondFox payload

Diamondfox family

DiamondFox payload

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2021-03-04 15:00

Signatures

DiamondFox payload

Description Indicator Process Target
N/A N/A N/A N/A

Diamondfox family

diamondfox

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-04 15:00

Reported

2021-03-04 15:03

Platform

win7v20201028

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe

"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 95.100.186.52:80 www.microsoft.com tcp
N/A 8.8.8.8:53 dong7707.at udp
N/A 217.8.117.51:80 dong7707.at tcp

Files

memory/2032-4-0x0000000000000000-mapping.dmp

memory/2032-5-0x00000000761E1000-0x00000000761E3000-memory.dmp

memory/2032-6-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2032-7-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2032-8-0x0000000004900000-0x0000000004901000-memory.dmp

memory/2032-9-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2032-11-0x00000000048C2000-0x00000000048C3000-memory.dmp

memory/2032-10-0x00000000048C0000-0x00000000048C1000-memory.dmp

memory/2032-12-0x0000000005240000-0x0000000005241000-memory.dmp

memory/2032-15-0x0000000005700000-0x0000000005701000-memory.dmp

memory/2032-20-0x0000000005740000-0x0000000005741000-memory.dmp

memory/2032-21-0x0000000006130000-0x0000000006131000-memory.dmp

memory/2032-28-0x0000000006280000-0x0000000006281000-memory.dmp

memory/2032-29-0x00000000062D0000-0x00000000062D1000-memory.dmp

memory/2032-30-0x000000007EF30000-0x000000007EF31000-memory.dmp

\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

MD5 387fd80a5602adc3dd4b2d0197a289de
SHA1 b903356e121f997a49759b306533a7ee8880b13b
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

memory/672-33-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

MD5 387fd80a5602adc3dd4b2d0197a289de
SHA1 b903356e121f997a49759b306533a7ee8880b13b
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

MD5 387fd80a5602adc3dd4b2d0197a289de
SHA1 b903356e121f997a49759b306533a7ee8880b13b
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-04 15:00

Reported

2021-03-04 15:03

Platform

win10v20201028

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
PID 2844 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
PID 2844 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
PID 3116 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe

"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.bin.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

"C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';$shortcut.Save()

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 95.100.186.52:80 www.microsoft.com tcp
N/A 8.8.8.8:53 dong7707.at udp
N/A 217.8.117.51:80 dong7707.at tcp

Files

memory/2844-4-0x0000000000000000-mapping.dmp

memory/2844-5-0x0000000073A70000-0x000000007415E000-memory.dmp

memory/2844-6-0x00000000070D0000-0x00000000070D1000-memory.dmp

memory/2844-7-0x0000000007740000-0x0000000007741000-memory.dmp

memory/2844-9-0x00000000070C2000-0x00000000070C3000-memory.dmp

memory/2844-8-0x00000000070C0000-0x00000000070C1000-memory.dmp

memory/2844-10-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

memory/2844-11-0x0000000007E90000-0x0000000007E91000-memory.dmp

memory/2844-12-0x0000000008070000-0x0000000008071000-memory.dmp

memory/2844-13-0x00000000080E0000-0x00000000080E1000-memory.dmp

memory/2844-14-0x0000000007400000-0x0000000007401000-memory.dmp

memory/2844-15-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

memory/2844-16-0x00000000088B0000-0x00000000088B1000-memory.dmp

memory/2844-17-0x0000000009870000-0x0000000009871000-memory.dmp

memory/2844-18-0x0000000009550000-0x0000000009551000-memory.dmp

memory/2844-19-0x00000000097D0000-0x00000000097D1000-memory.dmp

memory/2844-20-0x0000000009E60000-0x0000000009E61000-memory.dmp

memory/2844-21-0x000000000A9E0000-0x000000000A9E1000-memory.dmp

memory/3116-22-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

MD5 387fd80a5602adc3dd4b2d0197a289de
SHA1 b903356e121f997a49759b306533a7ee8880b13b
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

MD5 387fd80a5602adc3dd4b2d0197a289de
SHA1 b903356e121f997a49759b306533a7ee8880b13b
SHA256 a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512 3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

memory/2844-27-0x00000000070C3000-0x00000000070C4000-memory.dmp

memory/1776-28-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e71a0a7e48b10bde0a9c54387762f33e
SHA1 fed75947f1163b00096e24a46e67d9c21e7eeebd
SHA256 83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de
SHA512 394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

memory/1776-30-0x0000000073C20000-0x000000007430E000-memory.dmp