Tactics, Techniques and Procedures for  Donex



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Execution (TA0002) Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006) Discovery (TA0007) Collection (TA0009) Impact (TA0040)
Windows Management Instrumentation (T1047)
The ransomware uses wmic.exe to query the OS.
Windows Services (T1543.003)
Paralyzes some types of services.
Obfuscated Files or Information (T1027)
Uses payload data encoding.
Input Capture (T1056)
Creates an object generally used for keystroke capture purposes.
System Service Discovery (T1007)
List some services and check their status.
Data Staged (T1074)
The actor uses data storage in a central location before performing exfiltration.
Data Encrypted for Impact (T1486)
The ransomware renames files according to their variant and writes a file for ransom note purposes.
Command and Scripting Interpreter (T1059)
Apparent internal use of CMD.exe.
Indicator Removal from Tools (T1027.005)
Contains obfuscated stackstrings.
Application Window Discovery (T1010)
The threat actor attempts to obtain a list of open applications and processes.
Automated Collection (T1119)
The process attempted to detect the presence of forensic and debug utilities.
Service Stop (T1489)
Paralyzes some types of services.
Scripting (T1064)
Performs batch file execution.
Embedded Payloads (T1027.009)
Discards interesting files and uses them in its execution.
System Network Configuration Discovery (T1016)
Uses ping.exe to check the status of network devices.
Inhibit System Recovery (T1490)
The cmd.exe process invoked by the malware performs the deletion of Windows volume shadow copies.
Native API (T1106)
The process attempted to delete shadow volume copies (VSS).
Masquerading (T1036)
Creates files within the user directory. Adversaries use it for purposes of manipulating characteristics of their artifacts to make them appear legitimate.
Remote System Discovery (T1018)
Uses ping.exe to check the status of network devices.
Data Destruction (T1485)
The ransomware deletes various types of user files.
Shared Modules (T1129)
The ransomware tries to carry out process loader, malicious functions.
Scripting (T1064)
Execute files in bat.
Process Discovery (T1057)
Malware attempts to obtain information about the processes running on a system.
Clear Windows Event Logs (T1070.001)
Clears the Windows Operating System event logs.
System Information Discovery (T1082)
Searches and collects information related to the Operating System.
File Deletion (T1070.004)
Performs the deletion of shadow file data and also self-exclusion.
File and Directory Discovery (T1083)
Reads the files, gets the size and enumerates according to Windows.
Indirect Command Execution (T1202)
The adversary abuses utilities that allow the execution of commands to bypass security controls.
Network Share Discovery (T1135)
Enumerates the victim's network shares.
File and Directory Permissions Modification (T1222)
Retrieves and sets file attributes.
Security Software Discovery (T1518.001)
Attempts to detect the virtual machine to make analysis more difficult.
Abuse Elevation Control Mechanism (T1548)
The threat actor uses privilege control mechanisms to bypass privilege control mechanisms to obtain permissions.
Disable or Modify Tools (T1562.001)
Uses taskkill to terminate processes.
Hidden Window (T1564.003)
Graphical window operation.

This information is provided by Crocodyli or Ransomware.live