Overview

overview

10

Static

static

1

RNSM00378.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00378.7z

  • Size

    23.2MB

  • Sample

    241104-wpnl4svekp

  • MD5

    f80cfc9402fef885894bc62dcd8519ca

  • SHA1

    a93a0e4a3ee160e904832b3068c3008c0b624c8e

  • SHA256

    4fb064cdac599ae9c745c8daaf959eaa593482b730a3cc222ac9bad0f34b4743

  • SHA512

    c16820883537426c6f8a2d26a30180d899a323b86ad9295baee37dd5e6925833d3bec8651e67cfb5764d9af3379893e20e8840cf139c27a68ef7dc4ba4a62d87

  • SSDEEP

    393216:dPfhHgMe1nlNIEGuPaFU2H1sF+uCLCtaMHlSlsuui256Z7K26ClaK0U:FJHxwXIEr6HeF+PCtaYluui7Z1xEKl

Score
10/10
azorultcrimsonratdharmadjvugandcrabnanocoresmokeloadersodinokibi$2a$10$gjvbym57496umbu9cew7.obbzfb62socgquzlcyek4nc8asndpaz63727943187aspackv2backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

95.168.176.141

111.115.60.18

Extracted

Family

azorult

C2

http://mortest.ug/index.php

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

sodinokibi

Botnet

$2a$10$gJVBYm57496UmbU9CEw7.OBbZFB62SOCGQUZLCYEk4nc8asNDpaz6

Campaign

3187

Decoy

servicegsm.net

pogypneu.sk

deprobatehelp.com

maureenbreezedancetheater.org

xtptrack.com

mediaclan.info

haar-spange.com

cuppacap.com

rushhourappliances.com

courteney-cox.net

tsklogistik.eu

vietlawconsultancy.com

hairstylesnow.site

renergysolution.com

roygolden.com

bodyfulls.com

plotlinecreative.com

controldekk.com

cirugiauretra.es

mir-na-iznanku.com
Attributes
  • net

    true

  • pid

    $2a$10$gJVBYm57496UmbU9CEw7.OBbZFB62SOCGQUZLCYEk4nc8asNDpaz6

  • prc

    tbirdconfig

    powerpnt

    wordpad

    winword

    mydesktopservice

    outlook

    infopath

    agntsvc

    excel

    dbsnmp

    msaccess

    encsvc

    xfssvccon

    ocomm

    sqbcoreservice

    synctime

    visio

    onenote

    mspub

    sql

    isqlplussvc

    firefox

    thebat

    oracle

    dbeng50

    ocautoupds

    thunderbird

    ocssd

    steam

    mydesktopqos

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3187

  • svc

    sql

    svc$

    veeam

    vss

    backup

    sophos

    mepocs

    memtas

Extracted

Family

sodinokibi

Botnet

37

Campaign

2794

Decoy

peninggibadan.co.id

silverbird.dk

auto-opel.ro

indiebizadvocates.org

oportowebdesign.com

hawaiisteelbuilding.com

nvisionsigns.com

projektparkiet.pl

profiz.com

eastgrinsteadwingchun.com

kryddersnapsen.dk

dibli.store

dr-vita.de

vapiano.fr

springfieldplumbermo.com

stage-infirmier.fr

janasfokus.com

cmeow.com

phukienbepthanhdat.com

elliemaccreative.wordpress.com
Attributes
  • net

    true

  • pid

    37

  • prc

    excel

    winword

    onenote

    visio

    powerpnt

    dbeng50

    isqlplussvc

    mspub

    mydesktopqos

    mydesktopservice

    vss

    thunderbird

    infopath

    agntsvc

    dbsnmp

    wordpa

    steam

    synctime

    firefox

    oracle

    sql

    ocssd

    msaccess

    encsvc

    tbirdconfig

    outlook

    sqbcoreservice

    xfssvccon

    ocomm

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find how to decrypt {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2794

  • svc

    vss

    svc$

    backup

    veeam

    sophos

    mepocs

    memtas

    sql

Extracted

Path

C:\tmp\7w7o05f1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7w7o05f1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3B5CDFEE7E980581 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3B5CDFEE7E980581 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 52ztfRc+DSKdYUK/+7I+Q7QWRowc2IlyJ0EyyfOzBI98IKYUTIAP6mXSiIhEna3v Kmb+DslfdHh0RuPRAzye6V2AKkqQ9GkBkH71ACboCOJT7etlKOKjBOfnSkAOMAUD 4hTuLscoIZCZBku6zB5IIAcKyEAiYCZeb3SF4TbRYbi8IybHWgdKXMXM18o19z2c 38b/7tlOVaECqbk0pTuWe/SD6mdNbap+lyolCUHImLvK91IbRr29pmxoWSkSkf4R 7tcggFCG5h//J4l2HLSRi8ai+ju5VNGHCOuialBgZFsU2yK5RjpaFMifdE9QaRKQ qOFsdVO+wO1eu1ASk9HSiwohN1p2S6XISXbFJflhEw96a3e4NfaHAXxgaxCKvzAs Twb2acV9I5QkyCbEGhAg3Q+Cq23i7Etf4J1Hy9W9GGNi06TKLzGwBff7cTIj9QJa WC+cFhrmqkHu44K+RGb7ee0DgzoSs6Dl6msAzABi2n6VgCC3Tvx0KSu7G2UdsfyY UikbJNs/EYxB4mhvpg9dIAwbmPcT5Nd0T3gS5jEu68fOWidZVd6Q8Sl9IQy8EHMh ChDK12Oj2nzP/jZFKM2FYG3vp2FzrhObiQJpnf83d3p18ZTS9RBeQa1Z6LQ7Wb3F pYTlI3M5MouttzD/mthk34/q9uQAisy9Fs/426eUjt1uBLVvRSDg9M4Bsy2RRjXU 25+miKCKgd2W430u3bFiUUBiaHOy8vXF/F0Z+rSJxJVuZT+hq+1zuLJmeurN+xxJ mgcIetutHXC7iPvhhDgmT2hCdOCaPLe9U7pjq4qAhLGyj5b44WdUTPJhcWiqvBEZ tRPPkWakDpwGTclKqprjadCs6zQeiFBu2XEsqzbZPE84AK3DzlFbjtiiTkjswUc9 HiqPKvELpfCoA7xaNIGpat7Ib6bAJtY0PNB+48Ic1+N751rroZ3fccY3W7knE2YT e+3mUkgt/MMwt84RykgDO3McnFvFL69ZRycmA6YleNv1517ZyTuVESEcN18GsOxH fJ0qrYU38rQqC8rpHIssg1aOliWWoL/FGw1LR5mnMjkBblpGqbTkZkhAZqrn55A/ F5o2HukWUCUW8xlR3vUonTKUEdmKnjFTED3el5xbbJ6HuyoN1lTy0zekFFCCoDaT FVbukPaTZazEE5It23JfF/g2YCiot7YVz/+z5MdsM2i3UQh2bka2RGsrWIgB7jN3 K374Ct5ItUynJIPf3JZl6jyKLCADRvRt12vBzCcSfA7RR53Uo6XcQOLtnrtEz04g 1q8wcoqOdG2kuoBxH+/M6fCq7K25kUK5WjXRKH2fOPdX54nzkgKtqHY9Yy5oqW2U k+rcs0JKaTMAsQk4/vu7JpLWrG6RVW5HYqqR1IripEarYAqaFDh6tQ23 Extension name: 7w7o05f1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3B5CDFEE7E980581

http://decryptor.cc/3B5CDFEE7E980581

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

http://ring2.ug/Asjdi435784ihjk65pen2/get.php
Attributes
  • extension

    .meka

  • offline_id

    iToA4bsB4p1U6eP9sYfwett26TIoVaIjXvmekat1

  • payload_url

    http://ring1.ug/files/cost/updatewin1.exe

    http://ring1.ug/files/cost/updatewin2.exe

    http://ring1.ug/files/cost/updatewin.exe

    http://ring1.ug/files/cost/3.exe

    http://ring1.ug/files/cost/4.exe

    http://ring1.ug/files/cost/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-h159DSA7cz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0178Asd374y5iuhld

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Path

C:\SystemID\mk1ah-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion mk1ah. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3B5CDFEE7E980581 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3B5CDFEE7E980581 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tdcPh9M0VAwANxbL2QvJD1/Swv0mBtmS/Pk6yMsWFK/aoj/Wqpl0eE+wbcWrwCra hV7YP/2qHGgq+G0VNiyevpv2NMRlC1QXxpsPd7gSjG5I7qKqr4wlQeTFpBWKdJDM ddR0yNjOMpXUJyk3Ohdh1fg0cAw5l/RS9IuIg54ivCI9oi33uG1BybH3eQcHp7w8 Ebp/XyeemKf/C5VCq3MdYlcaxILFcQpP2NAU8w4D4Uld7mrm0ppc6Y+y7HriWsUp 3rHX9oi1Zv2UG9rmpVmdPVX/5xOWB5qsFdjLAWpHDPV9wku0SY2YJLjvehlLnqGp rmQWyhgDdpAfOfqRySf5sQqFUsBF+TF/gMQ/HsZq7ysrOiaNN0rlE+F49TiSAjtD aqqCaJJLm/DRu5j5AUHI3p6dP1LTbDZ9s7xAV8Hnt/219YbdiFAhl1owH0Q40zQi 3kbSjJZAubn9XiyPSSLNNdk+te5oopsOgu1lRjSl9KH2F30fIi/TnF4TlQ8tPfE+ 53c7RcfaGQUmskqA19DrDNYyF6Tbiwwb4n7PgkO3RrWmYjaQo44Kj6I6XsTHqI6T qvSc2vJSqRIrE3gba16SR1ActJA7Z+1dUJtF7AIy9VzgNClEpEnjv5h/lvhwZKm0 A4vmI6lprPcb8dzawlnawp9YWKOyEjWE4MZFp/aQi7OF0VTPB7k69UPPt9p8qEG1 nTReZrIIckfafvGFX0mu3XEAWpBb27P2FzAM8Z3UlVwOW7fBHxlgB8oPjcx4SwSK ozqF21mArobV9aGDTvF8d/ZRD+7OPHGCwV93dd7gqryCOhsdqVS/RdFgIID8qORw evRqABpVBCElKBHeHPFdLwRw3t6n9FAUBXsD3bT4lCLfyygmMo1wL9/4D0vLgqaT BWjrLMsRP9o6y5c8KYalt+qO+JZ0DT8Z/Dj/VuiAtC92/QbnVs8ah7q2ZFCeKUDL OvD3j8U7Hjy6Tn+FWmNeP1gNj2Cl7W1WFMI8uk9BMo6Di14moCZS1TxjpOPg/xkR wndrE2TSBSytLbtynnZ8ZAqJ7gtHOaQOvWwy9kFzApM/XjBR7Ccn8Fcr5QeLMWFB lexYmCrW9ibXvmBFAvQ9VfFbbEHieCACp4/ITotHlcuh7qIcBzYrXkl2P7mb0oHG JO+vr1EqIEkZAuCBAY7w4MVni6GJsvE2Y7eDcaQ5eMFE2isumXbLQIYacZcE6kzR QGhxbng+PrgMmXBVMXU= Extension name: mk1ah ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3B5CDFEE7E980581

http://decryptor.top/3B5CDFEE7E980581

Targets

    • Target

      RNSM00378.7z

    • Size

      23.2MB

    • MD5

      f80cfc9402fef885894bc62dcd8519ca

    • SHA1

      a93a0e4a3ee160e904832b3068c3008c0b624c8e

    • SHA256

      4fb064cdac599ae9c745c8daaf959eaa593482b730a3cc222ac9bad0f34b4743

    • SHA512

      c16820883537426c6f8a2d26a30180d899a323b86ad9295baee37dd5e6925833d3bec8651e67cfb5764d9af3379893e20e8840cf139c27a68ef7dc4ba4a62d87

    • SSDEEP

      393216:dPfhHgMe1nlNIEGuPaFU2H1sF+uCLCtaMHlSlsuui256Z7K26ClaK0U:FJHxwXIEr6HeF+PCtaYluui7Z1xEKl

    Score
    10/10
    azorultcrimsonratdharmadjvugandcrabnanocoresmokeloadersodinokibi$2a$10$gjvbym57496umbu9cew7.obbzfb62socgquzlcyek4nc8asndpaz63727943187aspackv2backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Detected Djvu ransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Djvu family

      djvu

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (515) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

8
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks