{"description": "Enterprise techniques used by DynoWiper, ATT&CK software S9038 (v1.0)", "name": "DynoWiper (S9038)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1485", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has overwritten files with 16-byte sequences of random data generated by the Mersenne Twister algorithm using the Microsoft Windows native `CreateFileW()` function to open the file and the `SetFilePointerEx()` and `WriteFile()` functions to overwrite the file.(Citation: CERT Polska) Additionally, versions of [DynoWiper](https://attack.mitre.org/software/S9038) can also delete files using the `DeleteFileW` API.(Citation: ESET DynoWiper Update JAN 2026)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has utilized a five-second delay using `Sleep(5000)` between two of the three phases of the attack that involves file overwriting, file deletion, and system reboot.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has used the Microsoft Windows native `FindFirstFile()` and `FindNextFile()` to recursively enumerate directories and files on the system.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has used the Microsoft Windows native `GetLogicalDrives()` and `GetDriveType()` functions to enumerate all the drives visible to the system.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has been named after well-known files schtask.exe, schtask2.exe, and _update.exe.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has used multiple native Windows functions, such as `GetLogicalDrives` and `FindNextFile` for discovery and file deletion.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has enumerated and overwritten files on all removeable and fixed drives.(Citation: ESET DynoWiper JAN 2026)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1679", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has recursively enumerated directories with the exception of the following: System32, Windows, Program Files, Program Files(x86), Temp, Recycle.Bin, $Recycle.Bin, Boot, PerfLogs, AppData, Documents and Settings.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[DynoWiper](https://attack.mitre.org/software/S9038) has used the Microsoft Windows native `ExitWindowsEx()` function to log off the interactive user and shutdown the system.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DynoWiper", "color": "#66b1ff"}]}