Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Kwampirs - S0236 (c2417bab-3189-4d4d-9d60-96de2cdaf0ab)	Malware	1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2