Overview

overview

10

Static

static

1

RNSM00428.7z

windows10-2004-x64

10

Resubmissions

27-10-2024 17:44

241027-wbmsna1dlj 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00428.7z

  • Size

    100.2MB

  • Sample

    241026-q9tqzasnbl

  • MD5

    6c2b29d11f244eeeb6236ae5e8d5bf8e

  • SHA1

    0bbd142818b414240627c312be06018fd01ddd90

  • SHA256

    7580b9b56219ca324572123befd4663f265782508ef8b2159b86e56f747f987e

  • SHA512

    9bbb791eb8b3a0c1b89fbf9487bbe20992c7882124f6eba6c496eef624db28e677208bb2e4de34751fee8c617dbbfb3bc2de711f0a36793f3ecfde5ac672c3cb

  • SSDEEP

    3145728:LX1PIf6FbDsWpgzVsD2tcTHNyqqO0gMvHsbG4:b9If6xQZsD2erIqd0gMvE

Score
10/10
azorultclopcrimsonratdjvulockbitsnatchsodinokibi$2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq7178aspackv2defense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationransomwareratthemidatrojanupxvmprotect

Malware Config

Extracted

Family

crimsonrat

C2

151.106.14.125

211.210.122.154

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected](Backup mail) send us your Key Identifier and Personal ID Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! Key Identifier: D3Kfs/DF9zU293dkopjOyaHfP/OjCLSra8Y2Ccn5FylHX9DQzcI7HU7I9ALoNhIwTeAwwTWh5j555nm9ebnguaXANjpq/0y/c+/BzBEYCDOFSMAO+4DFJ1/jBvZbnl32VlbPxpXLLwyqGBAMb9h+J5BS7ZxCUhbO+yDlWqUIlKI2eFfP1lWrEOomUc657mqoUvB/zyZQzaFKrcBFvWRuhtNwZKs6eg0rlSTeOXXqG79z72YjHaDWAbBV/6oEX4xUSqwaY62izo2MLTeMrEt3w2lpR+HnoHpeXZ3j/xvuzO9BEJe+abPZkXkcwVHqOJUWM4oaPyCRXppCtyZVenPc/jg3EeHndz2JiQFn8y8ovPCzDt5J22wveaA28voRw4ezf9Y2pNv/Y6QE/ci//aQb54U6DWzfwu5oKrP4BelVEqDI5NSg5Xyo09Pd5jjffKZXrZQ9+HAl3NyRHRVIcn6NP8IqkZhDgHDxziDBwqWQON+R2RczutiijmzRCQeJ7+dthoSXA4S6BdTsCRvsV/bRyAlUQlUFG34w3hEi+ym5XM2Ev5MlqM0SAc+XpM41BZKTinh5Up9kc+t9sEUmccXRekq7xyewo2I4vO9ySDC2gsXpmO+76hiSIb/vnBiSed6C0QKzrJ/mu9Ri9avrIYvx8rmUddh+ef5K5a6gTSP1i0o= PC Hardware ID: 16ECD120
Emails

Extracted

Path

C:\Program Files\Crashpad\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?ADA6851A3DD484F0EFB7B30FDEA6B266 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?ADA6851A3DD484F0EFB7B30FDEA6B266 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?ADA6851A3DD484F0EFB7B30FDEA6B266

http://lockbitks2tvnmwk.onion/?ADA6851A3DD484F0EFB7B30FDEA6B266

Extracted

Path

C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: [email protected] or [email protected] Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. Do not edit or delete any virtual machines files To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.

Extracted

Family

azorult

C2

http://ezman123123.000webhostapp.com/index.php

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

Decoy

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com
Attributes
  • net

    false

  • pid

    $2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

  • prc

    avgadmsv

    BackupUpdater

    ocautoupds

    synctime

    thebat

    excel

    isqlplussvc

    ccSetMgr

    SPBBCSvc

    Sage.NA.AT_AU.SysTray

    lmibackupvssservice

    CarboniteUI

    powerpnt

    BackupMaint

    onenote

    klnagent

    sql

    Rtvscan

    xfssvccon

    Smc

    mspub

    encsvc

    LogmeInBackupService

    kavfsscs

    ccSvcHst

    BackupExtender

    NSCTOP

    outlook

    dbsnmp

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7178

  • svc

    ssistelemetry

    adsync

    svc$

    msseces

    mbamservice

    ssastelemetry

    altaro

    sbamsvc

    ds_notifier

    ntrtscan

    ofcservice

    code42service

    macmnsvc

    memtas

    auservice

    telemetryserver

    tmccsf

    psqlwge

    sppsvc

    viprepplsvc

    azurea

    ds_monitor

    swi_filter

    protectedstorage

    mfemms

    mfevtp

    kaseyaagentendpoint

    ltservice

    dssvc

    altiback

Extracted

Path

C:\Users\1ul77jre-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1ul77jre. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D6AAA79FC5867B50 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D6AAA79FC5867B50 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fQdv49OnMsx0wmz6/2Pc9/7iFLAtzFLIJRc53JaJLvo/oABCJuNYBGLuwIwdG6NF +Ap/o+eC/sK7j1UZD/NJxVQd+CfCw+5LXRaX59Kb0STm0V/HWatJ95dYL5EWuxYS kjQidalZYlJdgrbsPK88hdVKPuM8wU+bMlDtr7GcikWzdNXnAaAsWICrydj7PIBG xeYYid/9UmNU7rz8xsVw+ndsRQqdtXQCf7rHM+FU5YenVIWdnFOrsMYie9p+1fma 4lPOg5/dPTr4Yq2Q/5RKG/vBejJ/LSBOvfIz3GW4HWA8NlazS37SKXYy22d+X042 lr49F8kkKpEidBX7GzfRY2bSBaaDRiG3C6QkvTKnCIIv62z2E5wUjTveHnR+DrV/ B8xeTgPunqzy4L3MCOCPSYUkyDmNFV8ZXo25b/ANEMLKSq+VnRttfFQUZq1osHyE nDWWT6kjmpC8Cn8+8sqW3Q46pkieUhw03+lrUi23KlER77XdNh/VUtFd7D6jXQ4s 2aMCQg0W6sslui1CM7M6xA/mCRiwLOY4Dm0DiN/TnkLiAICHICrvkvEYXtCPSGWQ ld2gg3JmAxc8e/0H6H6swYp6+V9uaERJsATUVlUvKg1RHJQB+v6+VftuTcvVL2E/ zAcUVWmEEhJw4vafRblAQvc0caVqiBfEHBY7YOqKAE7AqUvjQ8REyUmr9Ju6I0i2 Lq+wtC3PWPP32VSlBhrwaljmfDAVIFeTM4ufvnWBuwohQnDhmy29GZZ3im0EmCXz sWfhy0PhauiKjXW7DHHXnfZcxm5z2gwdV0Dq2MQrf8vMq0RvQyOzhqs1pqkTDSOG EmYLqUlkSMQBSupXSpqqXwNmf4BvCBSnLvy7G5eRj3RWTEC6C7y9tCtUP4DoExpl TyaH4bzXGfAKNHca9vGbTQJ6abSkKmil5NSfle6gIxAut9k0xC54yfHd+I20vZ0D LCbyDq7mXGzTgv09bDAJZcXlXZ5K2adKT8W4PPd97S88ktmek6LIVeZH43Tmengr +OQOegRZFbUY7K9nWmaNvuiHhpUxJAv2DQEPdUKmtIWjvThsEs2QIwxKgUTPEXQj hxMndpqPWrOCIUBYKpENyEpik5WLPgTds5FQCwBiXgMoiwcNmh15n5OEA0aUbFoC ULRB9W4pZ94a1Y90xL+ZF+sde5m7MsHtOGExOqzdzw3jikp18u8/U2SzZOz1AI0T qpraoJeUe9EGOx0S9LsziKonxHwzQZIPUQsG6pst4qBOUmP8ZrHzJOu6RjNkju6l CQSh3ZzxrFUojMuuQvCftaMYDBDox4c78Pl1nagUPWmUENBv5VodSpTb2zdgD3DY yHL3JwEQTBzh834e8DxMQ3kKD3Nq6DGCVrF7Ag9FlK8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D6AAA79FC5867B50

http://decoder.re/D6AAA79FC5867B50

Extracted

Family

djvu

C2

http://plnv.top/lancer/getm.php

Attributes
  • extension

    .cadq

  • offline_id

    2f4OfOSHaJTDMA9o58Df7yU9jUpxyfWKcEPew2t1

  • payload_url

    http://plnv.top/files/iner/updatewin1.exe

    http://plnv.top/files/iner/updatewin2.exe

    http://plnv.top/files/iner/updatewin.exe

    http://plnv.top/files/iner/3.exe

    http://plnv.top/files/iner/4.exe

    http://plnv.top/files/iner/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rQ27BU5m0E Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0282oPsw3

rsa_pubkey.plain

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected](Backup mail) send us your Key Identifier and Personal ID Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! Key Identifier: D3Kfs/DF9zU293dkopjOyaHfP/OjCLSra8Y2Ccn5FylHX9DQzcI7HU7I9ALoNhIwTeAwwTWh5j555nm9ebnguaXANjpq/0y/c+/BzBEYCDOFSMAO+4DFJ1/jBvZbnl32VlbPxpXLLwyqGBAMb9h+J5BS7ZxCUhbO+yDlWqUIlKI2eFfP1lWrEOomUc657mqoUvB/zyZQzaFKrcBFvWRuhtNwZKs6eg0rlSTeOXXqG79z72YjHaDWAbBV/6oEX4xUSqwaY62izo2MLTeMrEt3w2lpR+HnoHpeXZ3j/xvuzO9BEJe+abPZkXkcwVHqOJUWM4oaPyCRXppCtyZVenPc/jg3EeHndz2JiQFn8y8ovPCzDt5J22wveaA28voRw4ezf9Y2pNv/Y6QE/ci//aQb54U6DWzfwu5oKrP4BelVEqDI5NSg5Xyo09Pd5jjffKZXrZQ9+HAl3NyRHRVIcn6NP8IqkZhDgHDxziDBwqWQON+R2RczutiijmzRCQeJ7+dthoSXA4S6BdTsCRvsV/bRyAlUQlUFG34w3hEi+ym5XM2Ev5MlqM0SAc+XpM41BZKTinh5Up9kc+t9sEUmccXRekq7xyewo2I4vO9ySDC2gsXpmO+76hiSIb/vnBiSed6C0QKzrJ/mu9Ri9avrIYvx8rmUddh+ef5K5a6gTSP1i0o= Number of files that were processed is: 1135 PC Hardware ID: 16ECD120
Emails

Targets

    • Target

      RNSM00428.7z

    • Size

      100.2MB

    • MD5

      6c2b29d11f244eeeb6236ae5e8d5bf8e

    • SHA1

      0bbd142818b414240627c312be06018fd01ddd90

    • SHA256

      7580b9b56219ca324572123befd4663f265782508ef8b2159b86e56f747f987e

    • SHA512

      9bbb791eb8b3a0c1b89fbf9487bbe20992c7882124f6eba6c496eef624db28e677208bb2e4de34751fee8c617dbbfb3bc2de711f0a36793f3ecfde5ac672c3cb

    • SSDEEP

      3145728:LX1PIf6FbDsWpgzVsD2tcTHNyqqO0gMvHsbG4:b9If6xQZsD2erIqd0gMvE

    Score
    10/10
    azorultclopcrimsonratdjvulockbitsnatchsodinokibi$2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq7178aspackv2defense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationransomwareratthemidatrojanupxvmprotect

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Clop family

      clop

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Detected Djvu ransomware

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Disables service(s)

      evasionexecution

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Djvu family

      djvu

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Lockbit family

      lockbit

    • Modifies WinLogon for persistence

      persistence

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Snatch family

      snatch

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • UAC bypass

      evasiontrojan

    • clop

      Ransomware discovered in early 2019 which has been actively developed since release.

      ransomwareclop

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (3037) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Modifies Windows Firewall

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Indicator Removal

4
T1070

File Deletion

4
T1070.004

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

5
T1490

Service Stop

1
T1489

Tasks