Analysis Overview
SHA256
2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5
Threat Level: Known bad
The file tune.bin was found to be: Known bad.
Malicious Activity Summary
DiamondFox
DiamondFox payload
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-29 23:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-29 23:01
Reported
2022-12-29 23:03
Platform
win7-20220812-en
Max time kernel
51s
Max time network
49s
Command Line
Signatures
DiamondFox
DiamondFox payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit\wininit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tune.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit\wininit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tune.exe
"C:\Users\Admin\AppData\Local\Temp\tune.exe"
C:\Users\Admin\AppData\Roaming\wininit\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit\wininit.exe" 0
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd" 0"
C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.0.0.1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 104.85.1.163:80 | www.microsoft.com | tcp |
| N/A | 45.136.111.47:80 | tcp | |
| N/A | 45.136.111.47:80 | tcp |
Files
memory/1996-54-0x00000000008B8000-0x00000000008C2000-memory.dmp
memory/1996-57-0x0000000075281000-0x0000000075283000-memory.dmp
\Users\Admin\AppData\Roaming\wininit\wininit.exe
| MD5 | c003231a632fa9d74620c52d22ffb140 |
| SHA1 | ec2c2f3f38a3bf00b67ba53413c3be94f50a7408 |
| SHA256 | 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5 |
| SHA512 | 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb |
memory/1740-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\wininit\wininit.exe
| MD5 | c003231a632fa9d74620c52d22ffb140 |
| SHA1 | ec2c2f3f38a3bf00b67ba53413c3be94f50a7408 |
| SHA256 | 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5 |
| SHA512 | 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb |
C:\Users\Admin\AppData\Roaming\wininit\wininit.exe
| MD5 | c003231a632fa9d74620c52d22ffb140 |
| SHA1 | ec2c2f3f38a3bf00b67ba53413c3be94f50a7408 |
| SHA256 | 2fc677921d477d8855da80277a86eaef43a8f69e86a502627f392529c2599aa5 |
| SHA512 | 92b67457de91ab653d71a0c28dfbc1d13d775c0ea95b00c9e7ea8913208ee2e8b9ae23e62a20c31f91969c7f91566ed52d2cc965fc75f2bc7e61efdf98187ceb |
memory/1492-62-0x0000000000000000-mapping.dmp
memory/1996-64-0x0000000000020000-0x000000000002A000-memory.dmp
memory/1996-63-0x00000000008B8000-0x00000000008C2000-memory.dmp
memory/1996-65-0x0000000000400000-0x00000000007AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89EBD4BB9455.cmd
| MD5 | 126d0b01f5b4d121ef8383dae924dcd2 |
| SHA1 | 964d6ff4588494561b3b90a390f62c4e065e2806 |
| SHA256 | 700332cbee3e55cb091574bf8c0dfcfbf9aeb1cdea044ba97b74c4ced131f0fb |
| SHA512 | a6878a08ea360601a0b8bff3f5ee97b746f044210a37860975b78e7580fac5817def3c353a21c5ddf2f5bceae4d67b6fd58758b6242f0233291205fdfd7e63c1 |
memory/820-67-0x0000000000000000-mapping.dmp
memory/1740-70-0x00000000002C9000-0x00000000002D2000-memory.dmp
memory/1740-71-0x0000000000400000-0x00000000007AC000-memory.dmp
memory/1740-73-0x00000000002C9000-0x00000000002D2000-memory.dmp
memory/1740-74-0x0000000000400000-0x00000000007AC000-memory.dmp