Register to stream ATT&CKcon 2.0 October 29-30


pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]

ID: S0067
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1081 Credentials in Files If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access. [1]
Enterprise T1107 File Deletion pngdowner deletes content from C2 communications that was saved to the user's temporary directory. [1]
Enterprise T1071 Standard Application Layer Protocol pngdowner uses HTTP for command and control. [1]

Groups That Use This Software

ID Name References
G0024 Putter Panda [1]