donex

T1047Windows Management Instrumentation

The ransomware uses wmic.exe to query the OS.

T1059Command and Scripting Interpreter

Apparent internal use of CMD.exe.

T1064Scripting

Performs batch file execution.

T1106Native API

The process attempted to delete shadow volume copies (VSS).

T1129Shared Modules

The ransomware tries to carry out process loader, malicious functions.

T1543.003Windows Services

Paralyzes some types of services.

T1027Obfuscated Files or Information

Uses payload data encoding.

T1027.005Indicator Removal from Tools

Contains obfuscated stackstrings.

T1027.009Embedded Payloads

Discards interesting files and uses them in its execution.

T1036Masquerading

Creates files within the user directory. Adversaries use it for purposes of manipulating characteristics of their artifacts to make them appear legitimate.

T1064Scripting

Execute files in bat.

T1070.001Clear Windows Event Logs

Clears the Windows Operating System event logs.

T1070.004File Deletion

Performs the deletion of shadow file data and also self-exclusion.

T1202Indirect Command Execution

The adversary abuses utilities that allow the execution of commands to bypass security controls.

T1222File and Directory Permissions Modification

Retrieves and sets file attributes.

T1548Abuse Elevation Control Mechanism

The threat actor uses privilege control mechanisms to bypass privilege control mechanisms to obtain permissions.

T1562.001Disable or Modify Tools

Uses taskkill to terminate processes.

T1564.003Hidden Window

Graphical window operation.

T1056Input Capture

Creates an object generally used for keystroke capture purposes.

T1007System Service Discovery

List some services and check their status.

T1010Application Window Discovery

The threat actor attempts to obtain a list of open applications and processes.

T1016System Network Configuration Discovery

Uses ping.exe to check the status of network devices.

T1018Remote System Discovery

Uses ping.exe to check the status of network devices.

T1057Process Discovery

Malware attempts to obtain information about the processes running on a system.

T1082System Information Discovery

Searches and collects information related to the Operating System.

T1083File and Directory Discovery

Reads the files, gets the size and enumerates according to Windows.

T1135Network Share Discovery

Enumerates the victim's network shares.

T1518.001Security Software Discovery

Attempts to detect the virtual machine to make analysis more difficult.

T1074Data Staged

The actor uses data storage in a central location before performing exfiltration.

T1119Automated Collection

The process attempted to detect the presence of forensic and debug utilities.

T1485Data Destruction

The ransomware deletes various types of user files.

T1486Data Encrypted for Impact

The ransomware renames files according to their variant and writes a file for ransom note purposes.

T1489Service Stop

Paralyzes some types of services.

T1490Inhibit System Recovery

The cmd.exe process invoked by the malware performs the deletion of Windows volume shadow copies.