- Recent victims
- Cyberattacks in the press
- Ransomware Groups
- Negotiation Chats
- Ransom Notes
- Statistics
- Victims by country
- Cartography
- Tools Matrix
- Vuln. Matrix
- API
- About
- Disclamer
- Contact us
| Execution (TA0002) | Persistence (TA0003) | Defense Evasion (TA0005) | Credential Access (TA0006) | Discovery (TA0007) | Collection (TA0009) | Impact (TA0040) |
|---|---|---|---|---|---|---|
|
Windows Management Instrumentation (T1047) The ransomware uses wmic.exe to query the OS. |
Windows Services (T1543.003) Paralyzes some types of services. |
Obfuscated Files or Information (T1027) Uses payload data encoding. |
Input Capture (T1056) Creates an object generally used for keystroke capture purposes. |
System Service Discovery (T1007) List some services and check their status. |
Data Staged (T1074) The actor uses data storage in a central location before performing exfiltration. |
Data Encrypted for Impact (T1486) The ransomware renames files according to their variant and writes a file for ransom note purposes. |
|
Command and Scripting Interpreter (T1059) Apparent internal use of CMD.exe. |
Indicator Removal from Tools (T1027.005) Contains obfuscated stackstrings. |
Application Window Discovery (T1010) The threat actor attempts to obtain a list of open applications and processes. |
Automated Collection (T1119) The process attempted to detect the presence of forensic and debug utilities. |
Service Stop (T1489) Paralyzes some types of services. |
||
|
Scripting (T1064) Performs batch file execution. |
Embedded Payloads (T1027.009) Discards interesting files and uses them in its execution. |
System Network Configuration Discovery (T1016) Uses ping.exe to check the status of network devices. |
Inhibit System Recovery (T1490) The cmd.exe process invoked by the malware performs the deletion of Windows volume shadow copies. |
|||
|
Native API (T1106) The process attempted to delete shadow volume copies (VSS). |
Masquerading (T1036) Creates files within the user directory. Adversaries use it for purposes of manipulating characteristics of their artifacts to make them appear legitimate. |
Remote System Discovery (T1018) Uses ping.exe to check the status of network devices. |
Data Destruction (T1485) The ransomware deletes various types of user files. |
|||
|
Shared Modules (T1129) The ransomware tries to carry out process loader, malicious functions. |
Scripting (T1064) Execute files in bat. |
Process Discovery (T1057) Malware attempts to obtain information about the processes running on a system. |
||||
|
Clear Windows Event Logs (T1070.001) Clears the Windows Operating System event logs. |
System Information Discovery (T1082) Searches and collects information related to the Operating System. |
|||||
|
File Deletion (T1070.004) Performs the deletion of shadow file data and also self-exclusion. |
File and Directory Discovery (T1083) Reads the files, gets the size and enumerates according to Windows. |
|||||
|
Indirect Command Execution (T1202) The adversary abuses utilities that allow the execution of commands to bypass security controls. |
Network Share Discovery (T1135) Enumerates the victim's network shares. |
|||||
|
File and Directory Permissions Modification (T1222) Retrieves and sets file attributes. |
Security Software Discovery (T1518.001) Attempts to detect the virtual machine to make analysis more difficult. |
|||||
|
Abuse Elevation Control Mechanism (T1548) The threat actor uses privilege control mechanisms to bypass privilege control mechanisms to obtain permissions. |
||||||
|
Disable or Modify Tools (T1562.001) Uses taskkill to terminate processes. |
||||||
|
Hidden Window (T1564.003) Graphical window operation. |
This information is provided by Crocodyli or Ransomware.live