YUREI RANSOMWARE : THE DIGITAL GHOST

MITRE Techniques

• [T1047 ] Windows Management Instrumentation – Used for remote execution and lateral movement via CIM sessions: “constructs a PSCredential object… opens a CIM session… invokes a remote process … writes the payload to disk and executes it.”
• [T1059 ] Command and Scripting Interpreter – PowerShell is used to delete backups, purge logs, copy staged payloads, and execute cleanup commands: “PowerShell commands that invoke native Windows utilities to delete backups… Get-ChildItem -Recurse piped to Remove-Item -Force.”
• [T1106 ] Native API – Calls to native Windows APIs are used for actions such as changing desktop wallpaper via SystemParametersInfo: “SystemParametersInfo(20, 0, path, 3) to change the desktop wallpaper.”
• [T1129 ] Shared Modules / Get kernel32 base address / PEB access – Binary uses low-level techniques and shared module access patterns during execution and initialization (symbol retention and binary introspection noted in static analysis).
• [T1543 ] Create or Modify System Process – The malware creates/installs service-like processes and writes masqueraded service binaries (System32_Backup.exe) to support persistence and lateral spread.
• [T1543.003 ] Windows Service – Writes and attempts to use service-like payloads to maintain execution (creates files in system-like locations and may interact with service mechanisms).
• [T1006 ] Direct Volume Access – Searches and enumerates available drives for encryption and backup disabling: “getAllDrives to list all local and network drives for encryption.”
• [T1027 ] Obfuscated Files or Information – Uses packing/obfuscation and Go string representation to hinder static analysis and hide embedded strings.
• [T1027.002 ] Software Packing – Employs packing techniques observed in samples to evade detection and static inspection.
• [T1036 ] Masquerading – Copies itself to user and root locations using legitimate-looking names such as WindowsUpdate.exe and System32_Backup.exe to blend in: “masquerading as WindowsUpdate.exe.”
• [T1045 ] Software Packing (local sandbox packer harvesting — unknown) – Local packing observed within samples and YARA rule references to packing patterns.
• [T1064 ] Scripting – Uses PowerShell scripts for log deletion, backup removal, payload deployment, and lateral movement orchestration.
• [T1070 ] Indicator Removal – Clears Windows events and logs to remove forensic evidence: “recursively removes Windows event logs and system logs.”
• [T1070.004 ] File Deletion – Deletes shadow copies and backup catalogs using vssadmin and wbadmin: “vssadmin Delete Shadows /All /Quiet and wbadmin Delete Catalog -Quiet.”
• [T1070.006 ] Timestomp – Modifies file metadata and creation times to obscure timelines: “modifying file metadata by setting CreationTime (effectively manipulating timestamps).”
• [T1140 ] Deobfuscate/Decode Files or Information – Performs AES/x86-based deobfuscation routines consistent with decoding packed or obfuscated components.
• [T1202 ] Indirect Command Execution – Uses legitimate Windows utilities and indirect commands (vssadmin, wbadmin, Get-ChildItem | Remove-Item) to perform destructive actions.
• [T1562 ] Impair Defenses – Attempts to stop or disable backup and protection services to impede recovery and detection.
• [T1562.001 ] Disable or Modify Tools – Specifically targets backup and recovery tools and services to disable them.
• [T1564 ] Hide Artifacts – Uses alternate data streams and hidden file attributes to conceal payloads and artifacts.
• [T1564.003 ] Hidden Window – Creates processes with hidden windows to run stealthily in the background.
• [T1564.004 ] NTFS File Attributes – Interacts with NTFS features and ADS to hide or obscure files.
• [T1003 ] OS Credential Dumping – Harvests credentials and sensitive artifacts from host systems during operations.
• [T1552 ] Unsecured Credentials – Attempts to harvest mail client data and other stored credentials (Outlook .pst referenced).
• [T1552.001 ] Credentials in Files – Targets credentials stored in files such as Outlook .pst for collection.
• [T1012 ] Query Registry – Reads registry values like MachineGuid for fingerprinting and victim identification.
• [T1016 ] System Network Configuration Discovery – Reads network adapter and configuration information to map the environment.
• [T1057 ] Process Discovery – Queries running processes to inform lateral movement and evasion logic.
• [T1082 ] System Information Discovery – Collects memory and volume information prior to encryption.
• [T1497 ] Virtualization/Sandbox Evasion – Uses process count and environment checks to evade analysis environments.
• [T1005 ] Data from Local System – Collects local data (e.g., Outlook .pst) for potential exfiltration prior to encryption.
• [T1074 ] Data Staged – Manipulates the recycle bin and staging areas when preparing exfiltration or encryption payloads.
• [T1114 ] Email Collection – Harvests email-related data for credential or data collection.
• [T1071 ] Application Layer Protocol – Uses application-layer channels and observed suspicious network indicators for communications and operator interactions.
• [T1090 ] Proxy – Uses Tor .onion addresses for operator communication and victim negotiation: “Tor .onion chat link… blog .onion.”
• [T1485 ] Data Destruction – Performs mass deletions and log clearing as destructive impact routines.
• [T1486 ] Data Encrypted for Impact – Encrypts and renames user files, appending .Yurei to indicate encryption and impact.
• [T1489 ] Service Stop – Attempts to stop active services to facilitate encryption and disable defenses.
• [T1490 ] Inhibit System Recovery – Deletes Volume Shadow Copies and disables backups to prevent recovery.