Skip to content

Hide Navigation Hide TOC

Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under Winnti for Linux.(Citation: Chronicle Winnti for Linux May 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia 1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2