diamondfox | a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

Resubmissions

09-04-2024 09:25

240409-ld13ysbf56 10

04-03-2021 15:00

210304-4rkckgcr1n 10

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe
Size

90KB
MD5

387fd80a5602adc3dd4b2d0197a289de
SHA1

b903356e121f997a49759b306533a7ee8880b13b
SHA256

a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc
SHA512

3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e
SSDEEP

1536:3iRjptO0Eel2ZXU0SL2mfksXIzuUleVBq:3EVkelKXUCIkxl0q

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/files/0x000700000002326d-36.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
4476	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3400	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe
4476	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3380	3400	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe	97
PID 3400 wrote to memory of 3380	3400	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe	97
PID 3400 wrote to memory of 3380	3400	a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe	97
PID 3380 wrote to memory of 4476	3380	powershell.exe	107
PID 3380 wrote to memory of 4476	3380	powershell.exe	107
PID 3380 wrote to memory of 4476	3380	powershell.exe	107

C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe
"C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc.exe' -Destination 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe
    "C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hxhlwsln.5em.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\svlspoo\spoolsv.exe

Filesize
90KB

MD5
387fd80a5602adc3dd4b2d0197a289de

SHA1
b903356e121f997a49759b306533a7ee8880b13b

SHA256
a6375022953679ad82fc634b471c5b9b7911b47453e8d155469f24ee20db89dc

SHA512
3d8d5f437df25d23dbba75c4be7d252bdda32e84c1c55eee10877d38a178aed5beae6dbb56c1f0aa7ba9a94c020dc0705584bdc13bfe61d0af4de9cc76afa23e

Download Submit
memory/3380-20-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/3380-23-0x00000000066D0000-0x00000000066EA000-memory.dmp

Filesize
104KB

Download
memory/3380-6-0x0000000005A50000-0x0000000005A72000-memory.dmp

Filesize
136KB

Download
memory/3380-7-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/3380-8-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/3380-4-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/3380-14-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-19-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/3380-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-21-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/3380-22-0x0000000006750000-0x00000000067E6000-memory.dmp

Filesize
600KB

Download
memory/3380-5-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/3380-24-0x0000000006720000-0x0000000006742000-memory.dmp

Filesize
136KB

Download
memory/3380-25-0x0000000007810000-0x0000000007DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3380-27-0x0000000008440000-0x0000000008ABA000-memory.dmp

Filesize
6.5MB

Download
memory/3380-28-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-29-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/3380-30-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/3380-32-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/3380-3-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/3380-44-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download