2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

Analysis

max time kernel
73s
max time network
89s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ransomwares/Annabelle/Annabelle.exe
Size

15.9MB
MD5

0f743287c9911b4b1c726c7c7edcaf7d
SHA1

9760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256

716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA512

2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
SSDEEP

393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ransomwares\\Annabelle\\Annabelle.exe"	Annabelle.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

2880 NetSh.exe

pid	process
2880	NetSh.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ransomwares\\Annabelle\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ransomwares\\Annabelle\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ransomwares\\Annabelle\\Annabelle.exe"	Annabelle.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2428 vssadmin.exe
2484 vssadmin.exe
2420 vssadmin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

pid	process
2428	vssadmin.exe
2484	vssadmin.exe
2420	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vssvc.exeshutdown.exe

description	pid	process
Token: SeBackupPrivilege	2772	vssvc.exe
Token: SeRestorePrivilege	2772	vssvc.exe
Token: SeAuditPrivilege	2772	vssvc.exe
Token: SeShutdownPrivilege	640	shutdown.exe
Token: SeRemoteShutdownPrivilege	640	shutdown.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Annabelle.exe

description	pid	process	target process
PID 2636 wrote to memory of 2420	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2420	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2420	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2428	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2428	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2428	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2484	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2484	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2484	2636	Annabelle.exe	vssadmin.exe
PID 2636 wrote to memory of 2880	2636	Annabelle.exe	NetSh.exe
PID 2636 wrote to memory of 2880	2636	Annabelle.exe	NetSh.exe
PID 2636 wrote to memory of 2880	2636	Annabelle.exe	NetSh.exe
PID 2636 wrote to memory of 640	2636	Annabelle.exe	shutdown.exe
PID 2636 wrote to memory of 640	2636	Annabelle.exe	shutdown.exe
PID 2636 wrote to memory of 640	2636	Annabelle.exe	shutdown.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ransomwares\Annabelle\Annabelle.exe
"C:\Users\Admin\AppData\Local\Temp\ransomwares\Annabelle\Annabelle.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2420

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2428

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2484

C:\Windows\system32\NetSh.exe
NetSh Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2880

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 00 -f
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1724

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-143-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1728-141-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2636-1-0x000000013FB80000-0x0000000140B74000-memory.dmp

Filesize
16.0MB

Download
memory/2636-0-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-2-0x000000001C0C0000-0x000000001D64E000-memory.dmp

Filesize
21.6MB

Download
memory/2636-3-0x000000001BAC0000-0x000000001BB40000-memory.dmp

Filesize
512KB

Download
memory/2636-4-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-142-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads