move-file.md

ID	C0063
Objective(s)	File System
Related ATT&CK Techniques	None
Version	2.3
Created	30 August 2021
Last Modified	30 April 2024

Move File

Malware moves a file.

Use in Malware

Name	Date	Method	Description
Gamut	2014	--	Gamut moves files. [1]
Hupigon	2013	--	Hupigon moves files. [1]
Kovter	2016	--	Kovter moves files. [1]
Mebromi	2011	--	Mebromi moves files. [1]
Shamoon	2012	--	Shamoon moves files. [1]
UP007	2016	--	UP007 moves files. [1]

Detection

Tool: capa	Mapping	APIs
move file	Move File (C0063)	kernel32.MoveFile, kernel32.MoveFileEx, MoveFileWithProgress, MoveFileTransacted, rename, _wrename, System.IO.FileInfo::MoveTo, System.IO.File::Move, kernel32.SHFileOperation

Tool: CAPE	Mapping	APIs
move_file_on_reboot	Move File (C0063)	MoveFileWithProgressTransactedA, MoveFileWithProgressTransactedW

C0063 Snippet

File System::Move File

SHA256: bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420 Location: 0x41a61d

push    0x4     ; option to delay move until the next reboot
push    edi     ; new name for the moved file
lea     eax, [ebp + 0xffffefc4]
push    eax     ; name of the file to be moved
call    dword ptr [->KERNEL32.DLL::MoveFileExW] ; Windows API function to move the file from one name to another

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022