How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Model Abuse Elevation Control Mechanism - T1626 Abuse Elevation Control Mechanism - T1548 Bypass User Account Control - T1548.002 Clear Windows Event Logs - T1070.001 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Domain Accounts - T1078.002 Exfiltration Over C2 Channel - T1646 Exfiltration To Cloud Storage - T1567.002 Exploitation Of Remote Services - T1428 Exploits - T1587.004 Exploits - T1588.005 File And Directory Permissions Modification - T1222 Impair Defenses - T1562 Impair Defenses - T1629 Inhibit System Recovery - T1490 Lateral Tool Transfer - T1570 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Password Spraying - T1110.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Remote Desktop Protocol - T1021.001 Safe Mode Boot - T1562.009 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Windows File And Directory Permissions Modification - T1222.001 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Bypass User Account Control - T1088 Credential Dumping - T1003 Exfiltration Over Command And Control Channel - T1041 Exploitation Of Remote Services - T1210 Indicator Removal On Host - T1070 Network Service Scanning - T1046 Powershell - T1086 Remote Desktop Protocol - T1076 Remote Services - T1021 Service Execution - T1035 Valid Accounts - T1078 Exploitation Of Remote Services Valid Accounts
Show in Graph
Common Information
Type Value
UUID 6362b74d-2f61-4a24-884e-4aa16f22f0f4
Fingerprint b433a995cfb3eecf
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 20, 2024, midnight
Added to db Sept. 20, 2024, 5:50 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Title How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Detected Hints/Tags/Attributes 150/2/29
Source URLs
Redirection Url
Details Source https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html
Details Source https://www.trendmicro.com/en_no/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 119 Trend Micro Research, News and Perspectives https://feeds.feedburner.com/TrendMicroSimplySecurity 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 217 
cve-2020-1472
Details File 3 
232.bat
Details File 2 
tdsskiller.bat
Details File 2 
killdeff.bat
Details File 2 
logdel.bat
Details File 1260 
explorer.exe
Details File 1 
c:\windows\tdsskiller.exe
Details File 16 
data.bin
Details File 1 
readme_1d7fdb.txt
Details File 345 
vssadmin.exe
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 71 
T1078.002
Details MITRE ATT&CK Techniques 109 
T1210
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 86 
T1548.002
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 20 
T1222.001
Details MITRE ATT&CK Techniques 92 
T1070.001
Details MITRE ATT&CK Techniques 28 
T1562.009
Details MITRE ATT&CK Techniques 125 
T1110
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 100 
T1567.002
Details MITRE ATT&CK Techniques 168 
T1046
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 276 
T1490
Details Windows Registry Key 19 
HKEY_CURRENT_USER\Software\Microsoft\Terminal