| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges. |
| enterprise |
T1134 |
Access Token Manipulation |
- |
| enterprise |
T1134.001 |
Token Impersonation/Theft |
BitPaymer can use the tokens of users to create processes on infected systems. |
| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.001 |
Local Account |
BitPaymer can enumerate the sessions for each user logged onto the infected host. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
BitPaymer has set the run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
BitPaymer has attempted to install itself as a service to maintain persistence. |
| enterprise |
T1486 |
Data Encrypted for Impact |
BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending .locked to the filename. |
| enterprise |
T1480 |
Execution Guardrails |
BitPaymer compares file names and paths to a list of excluded names and directory names during encryption. |
| enterprise |
T1222 |
File and Directory Permissions Modification |
- |
| enterprise |
T1222.001 |
Windows File and Directory Permissions Modification |
BitPaymer can use icacls /reset and takeown /F to reset a targeted executable’s permissions and then take ownership. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.004 |
NTFS File Attributes |
BitPaymer has copied itself to the :bin alternate data stream of a newly created file. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.006 |
Timestomp |
BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool. |
| enterprise |
T1490 |
Inhibit System Recovery |
BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet. |
| enterprise |
T1112 |
Modify Registry |
BitPaymer can set values in the Registry to help in execution. |
| enterprise |
T1106 |
Native API |
BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW. |
| enterprise |
T1135 |
Network Share Discovery |
BitPaymer can search for network shares on the domain or workgroup using net view . |
| enterprise |
T1027 |
Obfuscated Files or Information |
BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary. |
| enterprise |
T1012 |
Query Registry |
BitPaymer can use the RegEnumKeyW to iterate through Registry keys. |
| enterprise |
T1018 |
Remote System Discovery |
BitPaymer can use net view to discover remote systems. |
| enterprise |
T1007 |
System Service Discovery |
BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem. |