Get structured information about targeted attacks: Dr.Web vxCube reports merged with the MITRE ATT&CK matrix

Doctor Web is updating Dr.Web vxCube. The upcoming release will allow the sandbox's reports to be linked with the MITRE ATT&CK Enterprise matrix. As a result, analysis results will be integrated into the knowledge base of adversarial tactics and techniques to provide researchers with a more accurate assessment of samples being examined and allow them to recreate the attack timeline. The MITRE ATT&CK framework contains information about threat actors’ tactics and techniques. Cybersecurity experts use the knowledge base to further enhance the security of IT infrastructures.

This latest Dr.Web vxCube version won't merely provide researchers with a report on the activity of a potential threat but will also help them determine the sequence of steps taken to penetrate and infect a system. This information may subsequently be used to understand how current security policies should be changed to tighten security. Furthermore, the data on identified tactics and techniques can help create new SOC and SIEM rules for neutralising a specific threat.

To better demonstrate how information security professionals will benefit from the upcoming update, let’s examine the report generated after a common encryption ransomware sample was analysed with the new Dr.Web vxCube version.

1. Tactics: Initial Access
   Technique: Replication Through Removable Media
   The attacker downloaded the malware to a removable data storage device that became the source of the infection. Perhaps, the employee used their own infected USB stick.

2. Tactics: Execution
   Technique: Windows Management Instrumentation (WMI)
   As soon as the flash drive gets connected to a computer, the autorun routine is triggered (for example, a modified autorun.inf file could be used for this). The encryption ransomware uses WMI to activate its payload. It employs a legitimate administration tool (WMI) to evade detection by less advanced antiviruses.

3. Tactics: Persistence & Privilege Escalation
   Technique: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
   To persist after a system restart and gain control as soon as a user logs in, the ransomware adds itself to the autostart app list. To accomplish this, it creates a corresponding registry entry or copies itself into the autostart folder. At this step, the trojan is often able to elevate its privileges to match those of the current user account.

4. Tactics: Defense Evasion
   Technique: Indicator Removal: File deletion
   Once the ransomware has gained a foothold in the system, it starts covering its tracks. It removes its original executable file from the USB stick or the temporary folder to make it harder for antivirus experts to detect and analyze it.

5. Tactics: Lateral Movement
   Technique: Replication Through Removable Media
   The malicious program does not confine itself to operating on a single compromised device. It monitors the system to determine when other USB drives get connected and infects them as well. Now, if an employee takes away their flash drive and connects it to another computer, the attack will be repeated. This is how the ransomware traverses air gaps within an infrastructure.

6. Tactics: Impact
   Techniques: Inhibit System Recovery и Data Encrypted for Impact
   Inhibit System Recovery: the ransomware attempts to destroy or encrypt point-in-time file copies created by the Volume Shadow Copy Service (VSS) to prevent the victim from recovering their data by using standard Windows tools.  
   Data Encrypted for Impact: the malware uses strong encryption algorithms to encrypt all important files (documents, photos, database files) on the computer. After that, a message appears on the screen demanding that a ransom be paid in exchange for the decryption key.

A cybersecurity professional can use this information to implement the following measures in order to prevent systems from getting compromised by similar malicious programs:

• Impose tighter restrictions on the use of USB storage media (disable the autorun feature, only allow encrypted corporate flash drives to be connected to the computers).
• Configure system monitoring tools to detect suspicious Run Registry keys and attempts to run malicious scripts with WMI.
• Divide the network into multiple subnets to mitigate a threat’s ability to spread across the infrastructure.
• Set up regular and secure data backups to ensure that a recovery option is always available.

The new feature is available in both cloud-based and on-premise Dr.Web vxCube versions for Linux and Windows VMs. Only the English language is supported. Doctor Web intends to add MITRE ATT&CK support for Android threat analysis in the future.

The updated Dr.Web vxCube version will also include the current sandbox documentation. The cloud-based version of Dr.Web vxCube will be unavailable on October 23, 2025, between 10.00-11.00 GMT during scheduled updating.

To update the on-premise version, download the latest Dr.Web vxCube distribution and VM images and follow the installation guidelines found in the documentation to reinstall the software. Use the Download Wizard to get the latest Dr.Web vxCube version.

Dr.Web vxCube is a suspicious file analysis sandbox. It can help you identify indicators of compromise, prevent cyberattacks and eliminate advanced persistent threats. The sandbox is available as a cloud-based service and an on-premise solution.

Use this form to receive demo access to the cloud-based version of Dr.Web vxCube.

You can purchase a license for Dr.Web vxCube from Doctor Web's partners.

This update contains the MITRE ATT&CK® knowledge base. The knowledge base is being used and distributed under the MITRE Corporation's license.

© 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The MITRE ATT&CK® Terms of Use are available at https://attack.mitre.org/resources/legal-and-branding/terms-of-use/.