Skip to content

S0576 MegaCortex

MegaCortex is ransomware that first appeared in May 2019. 1 MegaCortex has mainly targeted industrial organizations. 23

Item Value
ID S0576
Associated Names
Type MALWARE
Version 1.0
Created 17 February 2021
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation MegaCortex can enable SeDebugPrivilege and adjust token privileges.1
enterprise T1531 Account Access Removal MegaCortex has changed user account passwords and logged users off the system.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MegaCortex has used .cmd scripts on the victim’s system.1
enterprise T1486 Data Encrypted for Impact MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.14
enterprise T1140 Deobfuscate/Decode Files or Information MegaCortex has used a Base64 key to decode its components.1
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe MegaCortex can wipe deleted data from all drives using cipher.exe.1
enterprise T1083 File and Directory Discovery MegaCortex can parse the available drives and directories to determine which files to encrypt.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools MegaCortex was used to kill endpoint security processes.1
enterprise T1490 Inhibit System Recovery MegaCortex has deleted volume shadow copies using vssadmin.exe.1
enterprise T1112 Modify Registry MegaCortex has added entries to the Registry for ransom contact information.1
enterprise T1106 Native API After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.003 Code Signing Certificates MegaCortex has used code signing certificates issued to fake companies to bypass security controls.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.1
enterprise T1489 Service Stop MegaCortex can stop and disable services on the system.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 MegaCortex has used rundll32.exe to load a DLL for file encryption.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.1

References