{"description": "Enterprise techniques used by Sagerunex, ATT&CK software S1210 (v1.0)", "name": "Sagerunex (S1210)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) finds the `explorer.exe` process after execution and uses it to change the token of its executing thread.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) communicates via HTTPS, at times using a hard-coded User Agent of `Mozilla/5.0 (compatible; MSIE 7.0; Win32)`.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) has archived collected materials in RAR format.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) gathers host information and stages it locally as a RAR file prior to exfiltration.(Citation: Cisco LotusBlossom 2025) [Sagerunex](https://attack.mitre.org/software/S1210) stores logged data in an encrypted file located at `%TEMP%/TS_FB56.tmp` during execution.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) uses a custom decryption routine to unpack itself during installation.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) uses HTTPS for command and control communication.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) uses a \"servicemain\" function to verify its environment to ensure it can only be executed as a service, as well as the existence of a configuration file in a specified directory.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) encrypts collected system data then exfiltrates via existing command and control channels.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) calls the `WaitForSingleObject` API function as part of time-check logic.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) has used VMProtect to pack and obscure itself.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) can be passed a reference to an XOR-encrypted configuration file at runtime.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) identifies the `explorer.exe` process on the executing system.(Citation: Symantec Bilbug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) uses several proxy configuration settings to ensure connectivity.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) gathers information from the infected system such as hostname.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) will gather system information such as MAC and IP addresses.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.003", "comment": "[Sagerunex](https://attack.mitre.org/software/S1210) has used web services such as Twitter for command and control purposes.(Citation: Cisco LotusBlossom 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Sagerunex", "color": "#66b1ff"}]}