Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1531 | Account Access Removal |
DEADWOOD changes the password for local and domain users via |
|
Enterprise | T1485 | Data Destruction |
DEADWOOD overwrites files on victim systems with random data to effectively destroy them.[1] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
DEADWOOD XORs some strings within the binary using the value |
|
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
DEADWOOD deletes files following overwriting them with random data.[1] |
.002 | Disk Wipe: Disk Structure Wipe |
DEADWOOD opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. DEADWOOD then sends the control code |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
DEADWOOD will attempt to masquerade its service execution using benign-looking names such as |
Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
DEADWOOD contains an embedded, AES-encrypted payload labeled |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
DEADWOOD contains an embedded, AES-encrypted resource named |
||
Enterprise | T1569 | .002 | System Services: Service Execution |
DEADWOOD can be executed as a service using various names, such as |
Enterprise | T1124 | System Time Discovery |
DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.[1] |
ID | Name | References |
---|---|---|
G0064 | APT33 |
DEADWOOD was previously linked to APT33 operations in 2019.[2] |
G1030 | Agrius |