ryuk | ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2

Analysis

max time kernel
156s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-02-2022 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
Size

114KB
MD5

a9b7b3af239126f1ec4e1549076b6f6a
SHA1

d26ae4e7aac4529370583bb9e401152746d88a41
SHA256

ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2
SHA512

572587a2a5ef1fb275c9059e32191399780311dac2d064a211303f87a768c1acdc903a8d966723ff9b2375ec31a985a55f3623a2631d4dcf83d564e6eb7280ce

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 3 IoCs

pid	Process
4468	XUzvJpGsKlan.exe
544	kuKnEoNBKlan.exe
3592	TdpYQuNjzlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2116	icacls.exe
3968	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1372	SCHTASKS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4556	svchost.exe
Token: SeCreatePagefilePrivilege	4556	svchost.exe
Token: SeShutdownPrivilege	4556	svchost.exe
Token: SeCreatePagefilePrivilege	4556	svchost.exe
Token: SeShutdownPrivilege	4556	svchost.exe
Token: SeCreatePagefilePrivilege	4556	svchost.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4468	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	94
PID 4424 wrote to memory of 4468	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	94
PID 4424 wrote to memory of 4468	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	94
PID 4424 wrote to memory of 544	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	95
PID 4424 wrote to memory of 544	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	95
PID 4424 wrote to memory of 544	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	95
PID 4424 wrote to memory of 3592	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	96
PID 4424 wrote to memory of 3592	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	96
PID 4424 wrote to memory of 3592	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	96
PID 4424 wrote to memory of 2912	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	47
PID 4424 wrote to memory of 2944	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	46
PID 4424 wrote to memory of 3004	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	19
PID 4424 wrote to memory of 3088	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	44
PID 4424 wrote to memory of 3304	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	43
PID 4424 wrote to memory of 3392	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	42
PID 4424 wrote to memory of 3456	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	20
PID 4424 wrote to memory of 3544	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	41
PID 4424 wrote to memory of 3688	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	40
PID 4424 wrote to memory of 3812	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	38
PID 4424 wrote to memory of 692	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	31
PID 4424 wrote to memory of 2052	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	25
PID 4424 wrote to memory of 3512	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	91
PID 4424 wrote to memory of 4252	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	97
PID 4424 wrote to memory of 1372	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	111
PID 4424 wrote to memory of 1372	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	111
PID 4424 wrote to memory of 1372	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	111
PID 4424 wrote to memory of 1528	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	110
PID 4424 wrote to memory of 1528	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	110
PID 4424 wrote to memory of 1528	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	110
PID 4424 wrote to memory of 1732	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	109
PID 4424 wrote to memory of 1732	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	109
PID 4424 wrote to memory of 1732	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	109
PID 4424 wrote to memory of 1784	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	108
PID 4424 wrote to memory of 1784	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	108
PID 4424 wrote to memory of 1784	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	108
PID 4424 wrote to memory of 1928	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	99
PID 4424 wrote to memory of 1928	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	99
PID 4424 wrote to memory of 1928	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	99
PID 4424 wrote to memory of 2012	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	107
PID 4424 wrote to memory of 2012	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	107
PID 4424 wrote to memory of 2012	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	107
PID 4424 wrote to memory of 3968	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	106
PID 4424 wrote to memory of 3968	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	106
PID 4424 wrote to memory of 3968	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	106
PID 4424 wrote to memory of 2116	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	105
PID 4424 wrote to memory of 2116	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	105
PID 4424 wrote to memory of 2116	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	105
PID 4424 wrote to memory of 4812	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	115
PID 4424 wrote to memory of 4812	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	115
PID 4424 wrote to memory of 4812	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	115
PID 4812 wrote to memory of 4476	4812	net.exe	118
PID 4812 wrote to memory of 4476	4812	net.exe	118
PID 4812 wrote to memory of 4476	4812	net.exe	118
PID 2012 wrote to memory of 4612	2012	net.exe	117
PID 2012 wrote to memory of 4612	2012	net.exe	117
PID 2012 wrote to memory of 4612	2012	net.exe	117
PID 4424 wrote to memory of 1408	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	119
PID 4424 wrote to memory of 1408	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	119
PID 4424 wrote to memory of 1408	4424	ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe	119
PID 1528 wrote to memory of 4740	1528	cmd.exe	120
PID 1528 wrote to memory of 4740	1528	cmd.exe	120
PID 1528 wrote to memory of 4740	1528	cmd.exe	120
PID 1408 wrote to memory of 4868	1408	cmd.exe	122
PID 1408 wrote to memory of 4868	1408	cmd.exe	122

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2944

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe
"C:\Users\Admin\AppData\Local\Temp\ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\XUzvJpGsKlan.exe
  "C:\Users\Admin\AppData\Local\Temp\XUzvJpGsKlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\kuKnEoNBKlan.exe
  "C:\Users\Admin\AppData\Local\Temp\kuKnEoNBKlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Users\Admin\AppData\Local\Temp\TdpYQuNjzlan.exe
  "C:\Users\Admin\AppData\Local\Temp\TdpYQuNjzlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2116
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3968
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintKm" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\R3qOi.dll" /ST 10:25 /SD 01/31/2022 /ED 02/07/2022
  2⤵
  - Creates scheduled task(s)
  PID:1372
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4868
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3512

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4556-133-0x00000192BF990000-0x00000192BF9A0000-memory.dmp

Filesize
64KB

Download
memory/4556-135-0x00000192C2610000-0x00000192C2614000-memory.dmp

Filesize
16KB

Download
memory/4556-134-0x00000192BFF20000-0x00000192BFF30000-memory.dmp

Filesize
64KB

Download