TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	1
TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	1
TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2