Exaramel for Windows
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.(Citation: ESET TeleBots Oct 2018) |
| .005 | Command and Scripting Interpreter: Visual Basic |
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.(Citation: ESET TeleBots Oct 2018) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”(Citation: ESET TeleBots Oct 2018) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.(Citation: ESET TeleBots Oct 2018) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service.(Citation: ESET TeleBots Oct 2018) |
| Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.(Citation: ESET TeleBots Oct 2018) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |
(Citation: ESET TeleBots Oct 2018) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.