safepay

T1078Valid Accounts

The threat actor accessed the endpoint via Remote Desktop Protocol (RDP) using valid credentials.

T1091Replication Through Removable Media

T1189Drive-by Compromise

T1190Exploit Public-Facing Application

T1566.001Phishing: Spearphishing Attachment

T1566.002Phishing: Spearphishing Link

T1566.003Phishing: Spearphishing Voice

T1047Windows Management Instrumentation

Employed WMI commands to execute processes on remote systems.

T1053.005Scheduled Task/Job: Scheduled Task

T1059Command and Scripting Interpreter

Utilized PowerShell scripts, such as ShareFinder.ps1, to execute commands on the compromised system.

T1059.001Command and Scripting Interpreter: PowerShell

T1059.003Command and Scripting Interpreter: Windows Command Shell

T1059.005Command and Scripting Interpreter: Visual Basic

T1106Native API

T1129Shared Modules

T1203Exploitation for Client Execution

T1204.001User Execution: Malicious Link

T1204.002User Execution: Malicious File

T1078Valid Accounts

Maintained access through the use of compromised valid accounts.

T1098Account Manipulation

T1505.004Server Software Component: IIS Components

T1542.003Pre-OS Boot: Bootkit

T1543.003Create or Modify System Process: Windows Service

T1547Boot or Logon Autostart Execution

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1547.009Boot or Logon Autostart Execution: Shortcut Modification

T1574.001Hijack Execution Flow: DLL Search Order Hijacking

T1078Valid Accounts

Escalated privileges by leveraging valid domain accounts.

T1134.002Access Token Manipulation: Create Process with Token

T1134.004Access Token Manipulation: Parent PID Spoofing

T1014Rootkit

T1027Obfuscated Files or Information

T1027.002Obfuscated Files or Information: Software Packing

T1027.005Obfuscated Files or Information: Indicator Removal from Tools

T1027.007Obfuscated Files or Information: Dynamic API Resolution

T1027.009Obfuscated Files or Information: Embedded Payloads

T1027.013Obfuscated Files or Information: Encrypted/Encoded File

T1027.016Obfuscated Files or Information: Junk Code Insertion

T1036Masquerading

T1036.003Masquerading: Rename Legitimate Utilities

T1036.004Masquerading: Masquerade Task or Service

T1036.005Masquerading: Match Legitimate Name or Location

T1036.007Masquerading: Double File Extension

T1036.008Masquerading: Masquerade File Type

T1055Process Injection

T1055.001Process Injection: DLL Injection

T1070Indicator Removal

T1070.003Indicator Removal: Clear Command History

T1070.004Indicator Removal: File Deletion

T1070.006Indicator Removal: Timestomp

T1112Modify Registry

T1140Deobfuscate/Decode Files or Information

T1218System Binary Proxy Execution

T1218.004System Binary Proxy Execution: InstallUtil

T1218.005System Binary Proxy Execution: Mshta

T1218.007System Binary Proxy Execution: Msiexec

T1218.010System Binary Proxy Execution: Regsvr32

T1218.011System Binary Proxy Execution: Rundll32

T1218.014System Binary Proxy Execution: MMC

T1220XSL Script Processing

T1221Template Injection

T1222File and Directory Permissions Modification

T1497Virtualization/Sandbox Evasion

T1497.001Virtualization/Sandbox Evasion: System Checks

T1497.003Virtualization/Sandbox Evasion: Time Based Checks

T1553.002Subvert Trust Controls: Code Signing

T1562.001Impair Defenses: Disable or Modify Tools

T1562.004Impair Defenses: Disable or Modify System Firewall

T1564.001Hidden Artifacts: Hidden Files and Directories

T1574Hijack Execution Flow

T1574.013Hijack Execution Flow: KernelCallbackTable

T1620Reflective DLL Injection

T1622Debugger Evasion

T1003OS Credential Dumping

Employed tools like lsassy.py to dump credentials from the operating system.

T1003.003OS Credential Dumping: NTDS

T1056Input Capture

T1056.001Input Capture: Keylogging

T1110.003Brute Force: Password Spraying

T1555Credentials from Password Stores

T1557.001Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning

T1010Application Window Discovery

T1012Query Registry

T1016System Network Configuration Discovery

T1033System Owner/User Discovery

T1046Network Service Discovery

T1049System Network Connections Discovery

T1057Process Discovery

T1082System Information Discovery

T1083File and Directory Discovery

T1087.002Account Discovery: Domain Account

T1119Automated Collection

T1120Peripheral Device Discovery

T1124Time Discovery

T1482Domain Trust Discovery

Conducted domain trust discovery using commands like 'net group domain admins /domain' and 'nltest.exe'.

T1614.001System Location Discovery: System Language Discovery

T1021Remote Services

Moved laterally within the network using Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI).

T1021.001Remote Services: Remote Desktop Protocol

T1021.002Remote Services: SMB/Windows Admin Shares

T1021.004Remote Services: SSH

T1091Replication Through Removable Media

T1534Internal Spearphishing

T1005Data from Local System

T1074Data Staged

T1074.001Data Staged: Local Data Staging

T1560Archive Collected Data

Archived files using WinRAR with specific command-line options to prepare data for exfiltration.

T1560.002Archive Collected Data: Archive via Library

T1560.003Archive Collected Data: Archive via Custom Method

T1041Exfiltration Over C2 Channel

T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol

T1052.001Exfiltration Over Physical Medium: Exfiltration over USB

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1001.003Data Obfuscation: Protocol or Service Impersonation

T1008Fallback Channels

T1071.001Application Layer Protocol: Web Protocols

T1090Proxy

T1090.001Proxy: Internal Proxy

T1090.002Proxy: External Proxy

T1095Non-Application Layer Protocol

T1102Web Service

T1102.002Web Service: Bidirectional Communication

T1104Multi-Stage Channels

T1105Ingress Tool Transfer

T1132.001Data Encoding: Standard Encoding

T1219.002Remote Access Software: Remote Desktop Software

T1571Non-Standard Port

T1573Encrypted Channel

T1573.001Encrypted Channel: Symmetric Cryptography

T1485Data Destruction

T1486Data Encrypted for Impact

Encrypted files and appended the '.safepay' extension, leaving a ransom note named 'readme_safepay.txt'.

T1489Service Stop

T1490Inhibit System Recovery

Deleted volume shadow copies to inhibit system recovery.

T1491.001Defacement: Internal Defacement

T1529System Shutdown/Reboot

T1561.001Disk Wipe: Disk Content Wipe

T1561.002Disk Wipe: Disk Structure Wipe

T1583.001Acquire Infrastructure: Domains

T1583.004Acquire Infrastructure: Server

T1583.006Acquire Infrastructure: Web Services

T1584.001Compromise Infrastructure: Domains

T1584.004Compromise Infrastructure: Server

T1585.001Establish Accounts: Social Media Accounts

T1585.002Establish Accounts: Email Accounts

T1587.001Develop Capabilities: Malware

T1587.002Develop Capabilities: Code Signing Certificates

T1588.002Obtain Capabilities: Tool

T1588.003Obtain Capabilities: Code Signing Certificates

T1588.004Obtain Capabilities: Digital Certificates

T1608.001Stage Capabilities: Upload Malware

T1608.002Stage Capabilities: Upload Tool

T1589.002Gather Victim Identity Information: Email Addresses

T1591Gather Victim Org Information

T1591.004Gather Victim Org Information: Identify Roles

T1593.001Search Open Websites/Domains: Social Media