play
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 67 attack patterns (mitre), 5 malware, 9 sectors, 5 countries, 20 indicators, 6 vulnerabilities (cve), 23 organization, 7 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
Labels
ransomware
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
5 CVEs 3 MITREs 3 Malwares 8 Observables 1 APT
-
15 MITREs 2 Malwares 4 Observables 1 APT
-
6 MITREs 2 Malwares 1 Observable 1 APT
-
7 MITREs 2 Malwares 4 Observables 1 APT
-
11 MITREs 1 Malware 2 Observables 1 APT
Attack patterns (MITRE) (67)
-
Command Obfuscation uses
-
T1204.002 usesMalicious File MITRE
-
T1484 usesDomain or Tenant Policy Modification MITRE
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1021.002 usesSMB/Windows Admin Shares MITRE
-
T1027.002 usesSoftware Packing MITRE
-
T1531 usesAccount Access Removal MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1021 usesRemote Services MITRE
-
T1009 uses
-
T1505 usesServer Software Component MITRE
-
T1568.002 usesDomain Generation Algorithms MITRE
Malware (5)
-
COROXY usesFamily
-
Grixba usesFamily
-
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
PlayCrypt usesFamily
Sectors (9)
-
Transportation/Logistics targets
-
Technology targets
-
Consulting targets
-
Chemical targets
-
Business Services targets
-
Agriculture Food Production targets
-
Finance targets
-
Manufacturing targets
-
Construction targets
Countries (5)
-
United States of America targets
-
Italy targets
-
Canada targets
-
Australia targets
-
Germany targets
Indicators (20)
-
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986indicates -
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465debindicates -
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8acaindicates -
3be974b04f51296db884e46d0baf9e750a79731376d06887377bde3d6c3be6f6indicates -
0e408aed1acf902a9f97abf71cf0dd354024109c5d52a79054c421be35d93549indicates -
47b7b2dd88959cd7224a5542ae8d5bce928bfc986bf0d0321532a7515c244a1eindicates -
f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402indicates -
e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95daindicates
Vulnerabilities (CVE) (6)
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …
- Attack vector
- Network
- Published
- 13/02/2025
- Modified
- 21/12/2025
Organization (23)
-
Wardell Builders targets
-
Pewarchuk CPA targets
-
Autohaus Pichel GmbH targets
-
MP Filtri targets
-
Security ONE Alarm Systems targets
-
Stoughton Steel targets
-
Executive Aviation targets
-
Lakeside Title Company targets
-
Gsolutionz targets
-
Knight's Site Services targets
-
Due Doyle Fanning targets
-
Genoa Lakes targets
Tool (7)
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…