749d9f1bd425a9b49b9ad6e4bcdcb1954de0ad97d6b1506f1fd41ca62ff196c6

General

Target

d0a308811bd0cf98b7f3c13328f34e192ae9f07c
Sample

191018-dhmnstln9e
SHA256

749d9f1bd425a9b49b9ad6e4bcdcb1954de0ad97d6b1506f1fd41ca62ff196c6

Score

N/A

Malware Config

Extracted

Family

ursnif

Botnet

500

C2

http://myhomesitter.fun

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22

rsa_pubkey.base64

serpent.plain

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81DF123E-F1DD-11E9-BD7F-6ED33B104535} = "0"	5084	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5084	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1461662044"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30770666"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1461662044"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30770666"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000179842ae114d342cdca47d4693c8f6cf4b6988e82586de33b52eb55b95c9f5d0000000000e80000000020000200000009c9073c2f33cd52ca328850b02f8f7e94b562be6a2d980b67c4fc6aa7ec4fc6b20000000354971cc32dc00132950bcefe4b915c4d2060c271e99d4b5db0a4b398b6c012840000000316f4091958f12374c4189537e442eecc2739a25470491354a8d1c5bb6d23f24da80ea04c7c768f98ac7d556302aa64a5d4d3a5890c7f03958172e62a7139de7	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a010585aea85d501	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000f11276abe1bf1ca8630e4d96e6967859a567270040dae0b8d9350410435ecfe1000000000e80000000020000200000009991bb6eabcfc78595824f7a4bda108cc0c991d221e422cb939a827752fff67920000000e3cc9162e9fb05bd8ded88bfd24e29de35da9f7b5449ede0a9ab1d48f4c4366840000000b00557b28fdd1aef7698a56bc1f50990faeacb8fb0428cfc8dc7d18f925a27d8943545e98bc94c126aed34a86b4824938ed26167e748c0a71c088c0cd371c3e1	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903c5f5aea85d501	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	4516	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E4211BA-F1DD-11E9-BD7F-6ED33B104535} = "0"	4516	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4516	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	4516	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	4516	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000000754878a5b6bf9f34fb3dcd827e3d022e08d808a976530f6d765004afd5b012c000000000e80000000020000200000000e7610028585bc3e7fd391f815b25339dc460f30f1c833b748d093bcd5fd62fd20000000538aae2ed543bfa726bcf9b74b8353728ee34dab6f09d8540c6133db0f19a89640000000482d8086c9e6488c7d4ea65f3209ac78121df5b88e8d0068bd79c6afdd39e7ea2cba7349c4dd808ee58bf1e32c91a6a1cc5f46de10f878b2ee389c392da347b9	4516	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e7ff61ea85d501	4516	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	4516	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	3564	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ABF2D257-F1DD-11E9-BD7F-6ED33B104535} = "0"	3564	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3564	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	3564	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	3564	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000243e24250c6298cbc4ea2c817ff924e9468a063782432aa63d92ddf8fbd1109e000000000e80000000020000200000003b1f935b684ff64d1106830bd50b6136fb6f0b9db9aab4627cebbe2f78ab90e720000000acfaf3e0f425983acafda4245f293f230dc09fc5b2881fb3fb3aa10b595920f840000000350d9efae1fa740a256bf4d7bf924c1b196787559c68d8c47b7af88fe991a61e68306cf1a45ae2a48d02c5d9f91c823988110594967d75620da0f6d9242ec8d1	3564	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906b6b6fea85d501	3564	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	3564	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	744	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B97FCFC2-F1DD-11E9-BD7F-6ED33B104535} = "0"	744	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	744	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	744	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	744	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000005285e733ca527cbf5f8d8e07432bc7053564e496521551913a9e58a0cccc35a9000000000e8000000002000020000000e37b7ed73af522001a460722f91cb56168c98cf1a351f1580b6b629e2f99a40b200000009678de68c366d82251fd22d5fd40216c303464b43fc756df4f926c58be52b29740000000cc31a8c251baf62a3bba87c6587e0430c821728235917bbe45eee756a2d3c0ac97c7b98db6f4c79131c47bbbd1ff9f213b689743cdf9da6f6a83bcdc3c1c4764	744	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b016477dea85d501	744	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	744	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	1848	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C7414112-F1DD-11E9-BD7F-6ED33B104535} = "0"	1848	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1848	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	1848	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	1848	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000c0b38fee8f73faf3d8a4229af0e82d02acd2743136ac1cdd81b2fe1f98c2101f000000000e8000000002000020000000d577bf643bab1a121f29a02b31284d97231cc9b06c1e83c89e466ed9a490b2eb2000000065d9c58917be0119a88899770c8dacda9ae81933da85e20d9ec633c6cc7c0cc140000000350df93c0250b5f6e22736e5b0e2489d27e6f6a3086365a3b84f7e17807ffa3750c6f4009347b491f41e25f3ee3a713d1645541abed7b5996f5802cd2678f35c	1848	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4057918aea85d501	1848	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	1848	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 5084 wrote to memory of 4212	5084	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 3624	4516	iexplore.exe	IEXPLORE.EXE
PID 3564 wrote to memory of 3360	3564	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 1272	744	iexplore.exe	IEXPLORE.EXE
PID 1848 wrote to memory of 2132	1848	iexplore.exe	IEXPLORE.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	2624	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	2624	svchost.exe

ursnif family
family

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
5084	iexplore.exe
4212	IEXPLORE.EXE
4516	iexplore.exe
3624	IEXPLORE.EXE
3564	iexplore.exe
3360	IEXPLORE.EXE
744	iexplore.exe
1272	IEXPLORE.EXE
1848	iexplore.exe
2132	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

5084 iexplore.exe
4516 iexplore.exe
3564 iexplore.exe
744 iexplore.exe
1848 iexplore.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITS8ffe9e5c-f74d-435c-90a8-643e9a770ef8"	4668	svchost.exe

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	4668	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4668	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4668	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4668	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4668	svchost.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2700	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2700	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe
"C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe"
1⤵
PID:4908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:5084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4516 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:3624

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in system dir
PID:4668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:2700

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:2624

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:3564

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3564 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089
T1031

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4908-0-0x0000000000752000-0x0000000000753000-memory.dmp

Filesize
4KB

Download
memory/4908-1-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4908-2-0x0000000000630000-0x000000000063F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads