Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | Archive Collected Data |
Exaramel for Windows automatically encrypts files before sending them to the C2 server.[1] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[1] |
.005 | Command and Scripting Interpreter: Visual Basic |
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[1] |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[1] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.[1] |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[1] |
Enterprise | T1112 | Modify Registry |
Exaramel for Windows adds the configuration to the Registry in XML format.[1] |
|
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.[1] |
ID | Name | References |
---|---|---|
G0034 | Sandworm Team |