Analysis
-
max time kernel
88s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:57
Static task
static1
Behavioral task
behavioral1
Sample
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
Resource
win10v2004-20220414-en
General
-
Target
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
-
Size
216KB
-
MD5
670497e6310600fe3149d128946cf9df
-
SHA1
82a807efec4d2751e0834f5605e13001c6450841
-
SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
-
SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" spoolsv.exe -
Executes dropped EXE 2 IoCs
pid Process 5092 spoolsv.exe 2696 spoolsv.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe spoolsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe spoolsv.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs spoolsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\run spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Users\\Admin\\AppData\\Roaming\\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\spoolsv.exe" spoolsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 5092 spoolsv.exe 2696 spoolsv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 3632 wrote to memory of 4888 3632 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 81 PID 4888 wrote to memory of 5092 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 82 PID 4888 wrote to memory of 5092 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 82 PID 4888 wrote to memory of 5092 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 82 PID 4888 wrote to memory of 436 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 83 PID 4888 wrote to memory of 436 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 83 PID 4888 wrote to memory of 436 4888 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe 83 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 PID 5092 wrote to memory of 2696 5092 spoolsv.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exeC:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exeC:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\80016A89.cmd3⤵PID:436
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD507490cb84315068c4b4574d0845fa079
SHA144abfd5f47b28257c27a6fdef058fd2807f373c5
SHA2568be315ea075506ad8720caa7265bd99451a382be615528a099bf23ab5c1c80c9
SHA51268d79cd335ecc219d4f1a5150bce5b2c2c3ffca13ca63d414bc58ea0a198b4596ab4ea02347401ba2754985a78c878520f71c101d4afaf98eb14b00304b57c11
-
Filesize
384B
MD5824a719d4a5cce2f0603e9bd63bae64c
SHA1381ea9689a1ca092dfa375f160bc269adde97f8d
SHA256addece724ab9ff11addbf757c3f26b3499f1a372f391d67a04514a93ad8699ac
SHA5128ef76ca77c9a970b7f33afb761d310587412dc8e411259422ca227faac5e51db8da87592545d5e8a10623ed26f1e51d43ae8d2cd471deffb4ca43e8a9832eb3e
-
Filesize
216KB
MD5670497e6310600fe3149d128946cf9df
SHA182a807efec4d2751e0834f5605e13001c6450841
SHA25648357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
SHA5124a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090
-
Filesize
216KB
MD5670497e6310600fe3149d128946cf9df
SHA182a807efec4d2751e0834f5605e13001c6450841
SHA25648357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
SHA5124a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090
-
Filesize
216KB
MD5670497e6310600fe3149d128946cf9df
SHA182a807efec4d2751e0834f5605e13001c6450841
SHA25648357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
SHA5124a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090