Lazarus Group’s Mata Framework Leveraged To Deploy TFlower Ransomware

Sygnia: Double extortion ransomware attack – threat actor leveraged an undocumented variant of MATA to distribute and execute the TFlower ransomware.

Over the past few years, North Korea has turned its offensive cyber operations into a major source of income. On February 17, 2021, the US Department of Justice (DoJ) has indicted additional three North Korean (DPRK) military Reconnaissance General Bureau (RGB) personnel, with participating in a cyber-attacks that has allegedly  included destructive cyber-attacks and the theft and extortion of over USD1.3bn.

The charges filed relate to Lazarus Group’s (also known as Hidden Cobra) long-running cyber apparatus, financial theft and extortion, including multiple extortion schemes, WannaCry malware and the cyber-attack on Sony Pictures. A key technical component associated with Lazarus is the MATA malware framework, an advanced cross-platform malware framework, which was reported by Kaspersky on July 22, 2020, and by Netlab on December 19, 2019.

In a recent double extortion ransomware attack investigated by Sygnia, the threat actor leveraged a new and so far undocumented variant of MATA. This MATA variant was used by the threat actor to distribute and execute the TFlower ransomware.

When put together, the Netlab and Kaspersky publications along with the recent Sygnia findings, the new research indicates a connection or collaboration between the Lazarus Group and TFlower. While the nature of this collaboration is not yet clear and needs to be further validated, it may reflect the continues effort by North Korea to scale its cyber extortion business, as a major source  for currency generation, including by collaborating with additional crime entities, creating such entities, “outsourcing” of capabilities, or selling of offensive tools to other groups.

This report details the connection between the North Korean MATA framework and TFlower, as well as the anatomy of the MATA backdoor and a wider threat research which revealed over 200 MATA malware framework C2 certificates leveraged since May of 2019 across over 150 IP addresses. The report also includes recommendation on detection and defending against MATA framework attacks.

The key findings in this report

1. TFlower leverages or has ties to the MATA malware framework

The MATA backdoor was leveraged to deploy the TFlower ransomware. The threat group consistently referred to themselves as the “TFlower group”.

2. The MATA malware framework is active and widespread

Since at least May of 2019, MATA operators have continuously utilized new servers, with over 150 IPs linked to the frameworks’ C2. The analysis indicates that the group has possibly deployed over 150 command and control servers over time, with the latest one identified on February 4, 2021.

3. The threat actor is highly capable and implements systematic detection evasion techniques

Throughout the attack, the threat actor leveraged multiple tools including the MATA backdoor to systematically clear forensic evidence and attempt to evade detection by identifying and tampering with security products.

Anatomy of the mata backdoor and infrastructure

The Backdoor

The MATA backdoor consists of three file components: .EXE, .DLL and .DAT files, deployed in the “C:\Windows\System32” directory. All file names and hashes are unique per infected host indicating automatically generated polymorphic malware. The components are as follows:

1. Initial loader (EXE) — The malware is initially loaded by a .EXE file, which upon execution injects the .DLL loader component into an ‘svchost.exe’ process and modifies the LSA Security Package registry key to achieve persistence.

2. Loader (DLL) — The loader decrypts and executes the payload component stored in the .DAT file. It is loaded by ‘lsass.exe’ upon reboot to achieve persistence.

3. Payload (DAT) — The payload is an encrypted binary .DAT file which implements the backdoor functionality.

Once deployed, the backdoor provides the threat actor with remote code execution capability on infected machines via C2 servers. Additional functionality includes screen capture and network traffic tunneling.

Execution flow

The backdoor is deployed by executing the initial loader with the .DLL and .DAT file paths as arguments, injecting the .DLL file into ‘svchost.exe’ and loading the .DAT payload. The initial loader’s file name consists of 5 alphabetic characters, randomly generated on each of the machines (‘[A-Za-z]{5}\.exe’).

Upon execution, the initial loader modifies the following registry value in order to achieve persistency: “HKLM\SYSTEM\ CurrentControlSet\Control\Lsa\Security Packages”. The value modified is part of a Windows API called ‘Security Support Provider’ (SSP), which is used to extend the Windows authentication mechanism. After adding a .DLL stored in System32 to the ‘Security Packages’ value, ‘lsass.exe’ will automatically load the .DLL component on system startup or the next time the AddSecurityPackage Windows API function is called.

The file name of the .DLL consists of six alphabetic characters, the middle two being “nm” matching the following pattern: ‘[A-Za-z]{2}nm[A-Za-z]{2}\.dll’. Similar to the .EXE component, the name is unique on each of the infected machines. The .DLL itself implements limited functionality, and its main purpose is decrypting, loading and executing the final payload stored in the .DAT file.

The final payload stored in the .DAT file is a fully functional backdoor, establishing a command and control channel to the threat actors’ servers. Similarly to the other components, its name was unique on each of the infected machines and followed a specific pattern: ‘srms-[A-Za-z]{3}[0-9]{4,5}\.dat’.

Execution Flow: From initial execution to persistence mechanism.

Command and control infrastructure

Each of the samples identified by the Sygnia Incident Response team attempted to communicate to three command and control servers over SSL using port 443. The C2 servers were found in an encrypted binary configuration blob hardcoded into the .DAT payload. Each of the servers hosted a unique certificate, self-signed by the threat actor. Although the certificates on each of the servers were unique, they all shared similar technical features:

  1. Randomly generated, long Common Name.
  2. The usage of three capital letters followed by ‘Co .Ltd’ in the Organization (O) and Organization Unit (OU) fields of both issuer and subject.
  3. Certificate serial number – 1000.
  4. The “Validity: Not Before” timestamps of certificates tied to the same sample, are in close time proximity to one another. The “Validity: Not Before” timestamps represent the start of the certificate validity period.
Certificate Details: Example of malicious MATA C2 certificate
Certificate Details: Example of malicious MATA C2 certificate

The certificate “Validity: Not Before” timestamp is especially interesting, because the samples were first deployed in the network just several hours after the “Validity: Not Before” timestamp of their corresponding certificates. This could indicate that C2 servers are dynamically deployed for a specific operation, and the certificates are issued accordingly.

To further validate the ties between the MATA framework and the suspicious certificates, we attempted to tie other confirmed command and control servers to similar certificates. Out of 20 IPs found across 8 samples found in online repositories, 18 were confirmed to have historically hosted certificates with similar patterns.

MATA Samples: Relations between MATA samples and the identified certificates
MATA Samples: Relations between MATA samples and the identified certificates

Using the unique certificate patterns, Sygnia identified over 200 certificates and over 130 IP addresses affiliated with the MATA framework, starting as early as 2019.

Further analysis identified that as of June, 2020 the threat actor slightly modified the self-signed certificates pattern. Specifically, the following was changed:

  1. Organization (O) and Organization Unit (OU) fields of both issuer and subject were changed to five random uppercase alphabetical characters instead of three.
  2. Legitimate Common Name values such as ‘’, ‘’ and ‘’ were used instead of the random strings previously used.

At the time of publication, the latest certificates found were issued on February 4, 2021. The large number of certificates and C2 servers deployed over such a prolonged period of time suggests a well-resourced group with robust operational capabilities, likely attacking multiple targets simultaneously.

Relation to the mata malware framework and attribution

The backdoor and its infrastructure share significant attributes with the MATA malware framework:

  • Over 95% of the functions in the .DLL loader component identified by Sygnia match functions in the MATA malware framework loader identified by Kaspersky, indicating they are closely related.
  • The .DAT payload component identified by Sygnia writes its encrypted configuration to a registry key with a naming pattern of “HKLM\Software\Microsoft\[A-Za-z]{3}Net”. The orchestrator instances identified by Kaspersky save their configuration in a registry key with the same naming convention. The unencrypted configuration contains similar data to that mentioned in the Kaspersky report.
  • The same SSL certificate pattern described above was also identified in SSL certificates served by 21 out of 31 MATA framework C2 IP addresses found within MATA framework malware samples reported by Netlab and Kaspersky.
  • Certificates for IPs embedded in samples identified by Netlab and Kaspersky were issued within a short timeframe. This indicates the C2 servers for each of the samples were deployed together. The same behavior was observed in the samples identified by Sygnia.

Several other vendors, including Kaspersky and Netlab, linked the MATA framework to the Lazarus group, a threat actor affiliated with the North Korean government.

The MATA certificates “Validity: Not Before” timestamps are potentially indicative of the threat actor’s work week, Monday to Saturday, as no certificates were issued on Sunday. Furthermore, no certificates were issued between 16:00 to 22:00 UTC, correlating with nighttime in UTC +9 or UTC +8 time zones. The vast majority of certificates were issued during working hours in the abovementioned time zones, suggesting the threat actor is most likely operating from East-Asia.

A histogram of certificates’ “Validity: Not Before” timestamps: showing the total number of certificates issued by hour in the day in a UTC+9 time zone.

Tflower ties to the MATA malware framework

The TFlower ransomware campaign was covered by several technology news websites between September and November of 2019. However, since then very little information has been made public about the ransomware group or its operations.

In a recent TFlower ransomware case investigated by Sygnia, the threat actors had already removed all instances of the ransomware executable and it could not be recovered for reverse engineering. Nevertheless, forensic analysis performed identified several technical indications linking the encryption with the TFlower group with high certainty.

Analysis of the encrypted machines identified that the ransomware executable was deployed and executed using the MATA backdoor. Specifically, the path to the ransomware executable was found within the MATA backdoor memory space on encrypted machines. This raises the possibility that the Lazarus Group, which is largely affiliated with the North Korean government, is either the group behind TFlower or has some level of collaboration with it.

Alternatively, and although there are significant similarities to the TFlower ransomware, it is still possible that the threat actor was only masquerading as the TFlower group.

The ransomware encrypted files throughout the filesystem, without appending any special file extension. The “*TFlower” string was prepended to the encrypted files.
The ransom note left on the machines affected by the ransomware was named “!Notice!.txt”. The ransom note itself is identical to ransom notes identified in previous TFlower attacks.

Defending against mata framework attacks

The research into MATA framework operations was done primarily in the service of preventing future attacks. Our understanding of the threat actors behind these malicious operations reveals a large dynamic operation which can prove difficult to contain or easily detect.

The following are specific tactical recommendations which compliment more general security measures that can protect against these types of an attacks:

  • Configure Process Protected Light (PPL) protection to prevent non-digitally signed LSA plugins to be loaded into the lsass.exe process.
  • Proactively hunt for MATA malware framework IOCs and TTPs within the network, based on the MITRE ATT&CK breakdown and IOC provided below, with emphasis on the following:
  • SSL traffic containing a self-signed certificate with the attributes described in the report.
  • Outbound network communications towards the internet originating from the lsass.exe process
  • Monitor for disabling of security products and log source tampering.

Indicators of compromise

Registry values (regular expressions)

– Registry Key: “HKLM\\Software\\Microsoft\\[A-Za-z]{3}Net”

  • Registry Value Name: (default)
  • Registry Value Type: “REG_BINARY”
  • Registry Value Data: encrypted binary data

– Registry Key: “HKLM\\System\\CurrentControlSet\\control\\LSA”

  • Registry Value Name: “Security Packages”
  • Registry Value Type: “REG_MULTI_SZ”
  • Registry Value Data: “[A-Za-z]{2}nm[A-Za-z]{2}”

File names (regular expressions)

– .EXE file component – “C:\\Windows\\System32\\[A-Za-z]{5}\.exe”

  • Highly susceptible to false positives

– .DLL file component – “C:\\Windows\\System32\\[A-Za-z]{2}nm[A-Za-z]{2}\.dll”

– .DAT file component – “C:\\Windows\\System32\\srms\-[A-Za-z]{3}\d+\.dat”

Files referenced in the report (md5)

  • cef99063e85af8b065de0ffa9d26cb03
  • 6de65fc57a4428ad7e262e980a7f6cc7
  • 8910bdaaa6d3d40e9f60523d3a34f914
  • bea49839390e4f1eb3cb38d0fcaf897e
  • 80c0efb9e129f7f9b05a783df6959812
  • 403ad5ef66f3932e548e29e1b6a2cb4f
  • f05437d510287448325bac98a1378de1
  • 22a968beda8a033eb31ae175b7e0a937

C2 server certificates


 IPCommon Name “Validity: Not Before” Timestamp Organization Org. Unit Serial  SHA1 Co. LtdIDQ Co. Ltd10004fddb38848d0a3043d173653ee5d65a034fa5261 Co. LtdSVA Co. Ltd10004e8c2bbdac96d4df6555df6f219e2a19e4d63046 Co. LtdMAO Co. Ltd100064b628db142ee03dc99f498bc3de017dd1f96ace Co. LtdHVO Co. Ltd100090a6731fcc1bf18eb47db4a2b8e09a1a4157ea27 Co. LtdJKW Co. Ltd100061ebfbf45dd7360811b8fd1be367cd714d3bf1b3 Co. LtdOET Co. Ltd100091d4c3ed4336b4898be1825f8769356e1d94042c Co. LtdTFJ Co. Ltd1000e9f88241ead0a454c5405de92071f5b4cb3e36e9 Co. LtdRRJ Co. Ltd1000c1b5e79e754de08d680beeb5cacee9603c62b677 Co. LtdMZX Co. Ltd100078cb2ff0073f15c6f70f8fb5c2aa6360b9a3e958 Co. LtdEJV Co. Ltd10009b3efb423d54fc96e8b5565262ffc5dbda0e72fe Co. LtdDAZ Co. Ltd1000b4042f03686336d130527aea3d4e8e66f1c29131 Co. LtdWSR Co. Ltd10000a3c2caa5332916025311cc7bd8eabd7b8dcb4f6 Co. LtdIII Co. Ltd1000ac9645de8cfc41c88bf313833f9933480f0cf69f Co. LtdVNT Co. Ltd10006ee218365ec9ff17eb0cdb460e050d8c612244c7 Co. LtdWIN Co. Ltd1000b138f782e23bc07d239005cd9685441657ae3406 Co. LtdAAN Co. Ltd1000e9321bdc979ae55a60e677c9ea8e0e17f0e722de Co. LtdBTH Co. Ltd10008384997d8a807c34a15a81c3eeb58560de2816b0 Co. LtdIIS Co. Ltd1000fde0767ca94148a1beaf3e3184b919631f38b5c9 Co. LtdKUA Co. Ltd10007faf0d0f46ea2698b88daea588775b744fd95cd4 Co. LtdVGA Co. Ltd10009f71d3a47cba2dacff5da07e60177d9e0b54439e Co. LtdTRK Co. Ltd100045f2465cc4d8157e41c487dd8e8b0122e132032c Co. LtdMFA Co. Ltd10007c1ce4cb7776cad28500630d814e08619b665c66 Co. LtdOHC Co. Ltd1000bfde0d8d8c1303b6cc661a6bc269fd222292d170 Co. LtdYTF Co. Ltd1000fb2f3ffd2ac88dd62876159d155ba717c139cf11 Co. LtdRYT Co. Ltd1000471e268f24b938c8bdaa6479696066c435b14ceb Co. LtdOWZ Co. Ltd1000c39fa61ef4210f6726fb2b8f775baa3efe655c67 Co. LtdPIL Co. Ltd1000eb847b373aa9284a2207800bf3b0c7a4a4ed999c Co. LtdZQU Co. Ltd100045f62d44f95a2b520b9542209c9394678de084f1 Co. LtdQIR Co. Ltd100066209d6585aa2ad80b71a20309b19f5f0f2f102b Co. LtdHFQ Co. Ltd1000ed96ea65fc7d34ed0a782788382e167bc7123d14 Co. LtdXOR Co. Ltd100015c96db7785d5e6866e2dc041b6ce98f136c47b6 Co. LtdQZA Co. Ltd1000a64b42eefc9b08ac06b5fb40ec4a3a8a76800c3f Co. LtdUPF Co. Ltd10005360a98e4282da4206d35e840df8cf33cd9e965f Co. LtdGGJ Co. Ltd10007c08dc40e773bc4b8cc9b407777769822c20dfed Co. LtdCIB Co. Ltd10000b189512af2b498fac0bdce31c386d2b6c55fc97 Co. LtdRET Co. Ltd10001d5f886442d231b10fe68894d74bec4bfdcdfe5f Co. LtdMRT Co. Ltd1000c7137530011eb2d0fcaba4f14ba695e4b9c65f25 Co. LtdCGP Co. Ltd1000d44c7ed99abd47db577fbfd10d8018b6301f22a2 Co. LtdBXJ Co. Ltd1000f84213fd940f019505e58a79218b9a17543fa3e4 Co. LtdCTB Co. Ltd1000cad779915537cfed7c37abf5b143be793c9db6f2 Co. LtdUFF Co. Ltd10005d0dc50f102bc9ced23e05f53b4b5e83f7dcdb60 Co. LtdWKN Co. Ltd100055207654884899dece889e452697492e66a2664f,, Co. LtdDCI Co. Ltd1000caec7c0a802e4de75a671327a9a68a2a7e55936d, Co. LtdNEN Co. Ltd1000a4463133c2ec834d92f513c9724afdf15b6003dd Co. LtdRLC Co. Ltd10008730613623c457bb19f72acc27b06b509658367d Co. LtdUOH Co. Ltd10003ce1f8ace1a954a28d9ad7c45624cbab78dd4ce1 Co. LtdPKM Co. Ltd1000febb999755a880203e8452fd5ba57d9ae68f6604 Co. LtdLYG Co. Ltd1000d18ff190c769cf2bcf32a5b0237af02fdc2d646d Co. LtdBKQ Co. Ltd10000d5cab6893e98032518d7faf962197daf4cd00e6 Co. LtdIVP Co. Ltd1000249d865fe438695d5872191e17c4bbd48af1e2a9 Co. LtdLZW Co. Ltd100019b6ad2fdf309c1090c772e8e245a92abd7317e7 Co. LtdFUN Co. Ltd10003e7fdd91198b48f0eae86f51ab845e7974dd454e Co. LtdUOH Co. Ltd1000399040a20e3891f1332e82e7912087402e005466 Co. LtdLXK Co. Ltd10004ffbc2b68bd9eaeb7d3fd5c41a01eb10e3520977 Co. LtdMDP Co. Ltd10008660990c02e30933a6484e6aab83a4bf4ef02503 Co. LtdLWI Co. Ltd1000a7fcd5d5c2c57fd8a63f202a190aef60abd2ccbf Co. LtdUZX Co. Ltd100088093735c7abdbeef298862a0dd33dcca10baa4f Co. LtdBGK Co. Ltd1000cae2fe70b7f98e4b3039298426d7d7528a7ecc8e Co. LtdJJH Co. Ltd1000a151b18c72f9833e8acae989e287ac787b89926a Co. LtdRQR Co. Ltd1000304261dcb04ce0fdd936b2da689d7393abf67154 Co. LtdKFT Co. Ltd100014772f979839e3edab5cae9b7de4ac93d6fef9c8 Co. LtdMDW Co. Ltd1000c768b27d57e658efd6e7ccef988e57334289acf1 Co. LtdRIO Co. Ltd10006e55d351c22a077ce3057da3b64b453fae650b1a Co. LtdKQA Co. Ltd10008fdf10dd4f32dd546594343f339d37eb41ccc3a0 Co. LtdRRB Co. Ltd1000b6aff0910dae32ccd83363f314fc9eddccacdd6d Co. LtdGNF Co. Ltd100073e580ef0d8bcc4b9102894d66b902a9a52ed30c Co. LtdDRU Co. Ltd100076f753e777c8ed6ee3de12fd4a6be829f3ad1bd2 Co. LtdVSV Co. Ltd10008901a2243f441855864852c9ffc5693ad4973043 Co. LtdDTE Co. Ltd1000acc8172dea21a5684f0cdfa48974c70648936402 Co. LtdSCD Co. Ltd100002c646ec8b88dcdc381b3ce1449fd19ee58f4202 Co. LtdJPO Co. Ltd1000e602553c2ac94f007afce32aef47e5b3fcc94177 Co. LtdZHL Co. Ltd10002cbbf4952add12302caab5be0840f8471b06f2e6 Co. LtdFLD Co. Ltd1000927eea1b33cfe8c00695130698db09f8845bf483 Co. LtdRJS Co. Ltd1000e12c332b4f0e11b0de8e80e993d5e02b9c2bfc84 Co. LtdSCR Co. Ltd100091e4a8f0176a0b2bd4fa116d599ae34997592f16 Co. LtdOGA Co. Ltd1000827b83175168959baa5abbe2ab28e0107309f00b Co. LtdCAO Co. Ltd1000128b37f254e92e2d91f9a7b53cfbeed5428ccd1e Co. LtdFNX Co. Ltd10000547a8718765b8e8338dd0ea7a6d943b2f38c232 Co. LtdAYN Co. Ltd10008b41da1b919fafcbb6003ff1fdb69dcd6061ff05 Co. LtdLVC Co. Ltd100099a79ad26ac0c9a96c8ae0153d2e9d0e67c7048d Co. LtdSNJ Co. Ltd100092c50351b2fa5982f2a080aac80624f7f0254836 Co. LtdEHG Co. Ltd100074e2bc16b2eb69669ef202a3afecd8338e59e5db Co. LtdUBE Co. Ltd1000f651db5f19216d2a036f7c400b386f0bfa36c24c Co. LtdBBJ Co. Ltd1000c001c42aba2d922ca044d43a0b081e0ab72a2a52 Co. LtdHTD Co. Ltd10007b66a217fcf61df2fe30a944feca704bdeea0775 Co. LtdYAZ Co. Ltd10001290181d055156147eeb179457e15001003786bb Co. LtdKJT Co. Ltd1000fe6615d6e40d45524ff32534c45c32890931945d Co. LtdGST Co. Ltd1000169584fe26f50c8b0f37924da283c94066d9236c Co. LtdVLP Co. Ltd100019fd3b8a96452ba9a1ca1a41eaa1df4d4c38d4fb Co. LtdJUK Co. Ltd100095038b25dcb22160a39d1c889f3d9cf3e4fbe9e7 Co. LtdZIZ Co. Ltd10001899971acdc871d1161824b69cfb565f0f7e15de Co. LtdUXJ Co. Ltd1000994bd84833827c17754a922957c349f3316bb616 Co. LtdYZQ Co. Ltd100038fce40e0e6c028ac905a47123fcd5c0f4bbe1a2 Co. LtdOQO Co. Ltd10002b3e68a625a88fffb50bc08083580cf07df1d7b1 Co. LtdYWY Co. Ltd10007993ab274ba47b8a312859761ca5bc156a985c29 Co. LtdJBXMI Co. Ltd10008fab75e9930a614b80ae83c99c048b6ed14f886d Co. LtdUMDGH Co. Ltd1000a3f893a132566f84d43a65c864d8b753ea973ac8 Co. LtdAXWPM Co. Ltd1000486431e2d9024c44fde0cbcbd50e579395945f1e Co. LtdSLZJO Co. Ltd1000e46da2ddb96d4d712f0837595b114ea315d49ac4 Co. LtdAUZIC Co. Ltd100057bbceafe392c51480ecdc8854d1a177da0798c7 Co. LtdUYNCH Co. Ltd1000320dd14d32cba4ce25521a83912cbe78f78d5542 Co. LtdUXQ Co. Ltd1000471756a047748e931e0c21060014e885763e7643 Co. LtdRPW Co. Ltd1000eb64df15cb2ca5e6fca6f3e809920a21a3115be0 Co. LtdTSB Co. Ltd10004d1a23a6d25dbb4d37dcf379103a0922a1059383 Co. LtdHIE Co. Ltd10003c822a64fdef9fd200dc4ad7446e73d9225b6658 Co. LtdCXD Co. Ltd100083cfb13531f9a8a81ea96070fde9d8792586b2e2 Co. LtdQTL Co. Ltd100019a02f2453b15df76ecd1e798b6530809e9ae158 Co. LtdRFMQT Co. Ltd1000b2ee5568161b0876ab280a267eb51450037b7fd2 Co. LtdOPGDQ Co. Ltd100088773b940710b631a44435e7dd56d3cc6296c1d5 Co. LtdNYB Co. Ltd1000dbe39ba1d753f1a0a027db968533b864c98c9cd9 Co. LtdGUI Co. Ltd10009df88128e675307d2741adb0a1b128b03beee886 Co. LtdRTXGR Co. Ltd100003532ad6ed73f731f0380afc1854bdffe2880844 Co. LtdJDOTY Co. Ltd1000519ad7e0cea23556b598fcee6d333d835da001c1 Co. LtdAMJUR Co. Ltd10009e984ad780434af458223347620a185c99dc89f6 Co. LtdBWRNV Co. Ltd1000f2070d2c6aedc6ac0b5ae8e1a151d2a69b5823ac Co. LtdJRVNW Co. Ltd100006dbfb0ba7f155e40d73ece9d8a76e26da210e27 Co. LtdDTJHT Co. Ltd10008c73fd5aa03b925988227d70c67a64745fa60f3f Co. LtdHSSYX Co. Ltd1000f60cb35c79241267f1eac4bbc20a22cc92e0cecb Co. LtdYEJ Co. Ltd1000412903b69697ad696b8789e2a2c2156f349d7a61 Co. LtdXXL Co. Ltd1000fd4904bfd24de6da6be7c04c1f5dd7f7e96a43c8 Co. LtdSESTG Co. Ltd1000eca6dbf704151283a21aaaa1f6fa9e4990012e13 Co. LtdZYH Co. Ltd10000e32a40bb83fec79614b07ddc4a1d1143be761db Co. LtdYGO Co. Ltd100019d8925e334d4116f4e93a0f424a1a1907f67f59 Co. LtdEAW Co. Ltd10001aab7a644e2de9b545e526eee7accc2d5e12c76b Co. LtdMVR Co. Ltd100091cc94e09af78085095bdf0d6fee78e24976150e Co. LtdSBQ Co. Ltd1000cc2f66f648430deb60a11a1c74c45a6ee8349907 Co. LtdURM Co. Ltd100079d255f36da1ef71a3669e4ba6eb3067d4a9edb0 Co. LtdIDP Co. Ltd1000b869ae4b3f11c9e7dd93a82af99849490d926d91 Co. LtdYRQEK Co. Ltd1000c5818365ccd628750e692f599b6d9adb99a3c389 Co. LtdUFJ Co. Ltd10007e413302ef862b5c417b4bf73533b8a55dea19ba Co. LtdMPNCO Co. Ltd1000700cd13b53c8bb66fd51eb4c504c8c48807955e4 Co. LtdNCQAQ Co. Ltd10005fa1dd26de5449f4160519b690344e5ac150405f Co. LtdNKNHX Co. Ltd10009443af2bb8c281edc3d4fbe8c3df3ee91820e8ea Co. LtdUASTD Co. Ltd1000c67dca446f3dd6fb43367cda562b5d1e1e632125 Co. LtdRVAFN Co. Ltd1000bb53ba1e90f27896a6e021a7b82551d50994b84f Co. LtdFRN Co. Ltd10008118c448070336884760c9393e39fd7c937b154a Co. LtdWZDSA Co. Ltd100046eea848d03a4faed9e07b534edee6117eb7f3c4 Co. LtdEZDPF Co. Ltd100022994c02534f74b442f6ca02c94ae1fe003737ea Co. LtdOLBRG Co. Ltd10008309da5cdafbaa578ea7356c429c9d6c974996c6 Co. LtdMVTDV Co. Ltd10009083fab3637a60404bc97c04de6bcf6990ea0a25 Co. LtdZJVKY Co. Ltd10006656150ffdca1a739972c3833eb2dbefddb9a917 Co. LtdQUMVO Co. Ltd10005cd0febfea57a9d4a8462ba3b1c45965529ce8f7 Co. LtdBTEJQ Co. Ltd1000bbedc28ef631eef2d339f06e13910afe23f60d90 Co. LtdPCKPK Co. Ltd1000f9acf669ccf7a443d1df57e441fdcb50df624c13 Co. LtdVFHDF Co. Ltd10002dce7f5ae09d1315ae01b4ba9476bb9b1a649b9a Co. LtdBWVOU Co. Ltd1000882ce7cd5405cafab60aff1230a103f7d43c9940 Co. LtdNXHQN Co. Ltd10005ff8e100f48ed75cc0a8afe8498007e6894aea6a Co. LtdQMOPZ Co. Ltd100060852dcc1bbbd9741544290bc071a3e36298c5bf Co. LtdWHPAW Co. Ltd1000a07d545c850c2897537bb4f1afec99840b1bd8b5 Co. LtdXUNQT Co. Ltd1000f18d9d4670b051c264518346cbb48d2a3c90e54d Co. LtdJZQOD Co. Ltd1000d16a7642d2519fcd1030b9b3a4403b178e7487f7, Co. LtdXHIGN Co. Ltd1000e02961445c52cb9a2aa0a09e9a452bc10c79d4ae Co. LtdUCVED Co. Ltd1000875370a44ec1e53430bf035080b7075f5d0bce54 Co. LtdAFKIE Co. Ltd100064cf462b1ff8cf77143ee0c25ac3049a2c0a986e Co. LtdRZFVM Co. Ltd1000796068fe57f59d2d25322cabc1e43329eafa3ae4 Co. LtdVKQIE Co. Ltd1000c9ed6bcd81b64a9c92574e94686c76b3cbf2ec64 Co. LtdQFP Co. Ltd100024c6b220ea7a2b5de587ed37f0b19186b8b24a33 Co. LtdTEZ Co. Ltd10000a25f29bd5d6639057ea5e4548d4629d736a0451
Showing 1 to 158 of 158 entries

Mitre att&ck breakdown

1. Persistence

  • T1053.005 – Scheduled Task/Job: Scheduled Task
  • T1547.005 – Boot or Logon Autostart Execution: Security Support Provider

2. Defense Evasion

  • T1036.005 – Masquerading: Match Legitimate Name or Location
  • T1055.001 – Process Injection: Dynamic-link Library Injection  
  • T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
  • T1070.003 – Indicator Removal on Host: Clear Command History
  • T1070.004 – Indicator Removal on Host: File Deletion
  • T1112 – Modify Registry
  • T1562 – Impair Defenses

3. Credential Access

  • T1552.001 – Unsecured Credentials: Credentials in Files

4. Lateral Movement

  • T1021.001 – Remote Services: Remote Desktop Protocol
  • T1021.002 – Remote Services: SMB/Windows Admin Shares
  • T1021.004 – Remote Services: SSH

5. Collection

  • T1113 – Screen Capture

6. Command and Control

  • T1008 – Fallback Channels
  • T1572 – Protocol Tunneling
  • T1573.001 – Encrypted Channel: Symmetric Cryptography

7. Impact

  • T1486 – Data Encrypted for Impact
subsctibe decor
Want to get in touch?