lockbit | 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

General

Target

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
Size

162KB
MD5

38745539b71cf201bb502437f891d799
SHA1

f2a72bee623659d3ba16b365024020868246d901
SHA256

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce
SHA512

772e76757069c3375cf1ffd659ff03f47f2d4becae61a852adbc27ae467551210d8832994f944c05fccc8486a8a88322021c94217a8bd962c2459af41067132b
SSDEEP

3072:MC/pu0EzJTnvxkIKztqGJ0OtiZ4/7I5jfa2F63Jvb3iN0RD3xpjb68Tzd4Tpx8W7:MC/pu1iIKztqGuU/7Ity2F65vb3FRlpW

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-0-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit
behavioral1/memory/1600-1-0x0000000000400000-0x000000000042C000-memory.dmp	family_lockbit

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2404	1600	WerFault.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
936	1328	WerFault.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

Processes:

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

pid	process
2616	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1172	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2652	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2132	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1224	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1568	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
1916	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
2412	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1332 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1332	taskmgr.exe
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.execmd.exe80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1600 wrote to memory of 2404	1600	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 2784 wrote to memory of 2616	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2616	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2616	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2616	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1172	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1172	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1172	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1172	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2652	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2652	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2652	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2652	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2132	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2132	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2132	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 2132	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1224	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1224	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1224	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1224	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1568	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1568	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1568	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 2784 wrote to memory of 1568	2784	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1328 wrote to memory of 936	1328	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe	WerFault.exe
PID 1652 wrote to memory of 1916	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 1916	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 1916	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 1916	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2328	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2328	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2328	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2328	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2412	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2412	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2412	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
PID 1652 wrote to memory of 2412	1652	cmd.exe	80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
"C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 88
  2⤵
  - Program crash
  PID:2404

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
"C:\Users\Admin\AppData\Local\Temp\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 88
  2⤵
  - Program crash
  PID:936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1916
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328
- C:\Users\Admin\Downloads\80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe
  80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe -pass
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-2-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1332-3-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1332-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1600-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1600-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads