Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [1]

ID: G0075
Aliases: Rancor
Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1059Command-Line InterfaceRancor has used cmd.exe to execute commmands.[1]
EnterpriseT1105Remote File CopyRancor has downloaded additional malware, including by using certutil.[1]
EnterpriseT1053Scheduled TaskRancor launched a scheduled task to gain persistence using the schtasks /create /sc command.[1]
EnterpriseT1064ScriptingRancor has used shell and VBS scripts as well as embedded macros for execution.[1]
EnterpriseT1193Spearphishing AttachmentRancor has attached a malicious document to an email to gain initial access.[1]
EnterpriseT1071Standard Application Layer ProtocolRancor has used HTTP for C2.[1]
EnterpriseT1204User ExecutionRancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[1]


S0160certutilDeobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0255DDKONGCustom Command and Control Protocol, Deobfuscate/Decode Files or Information, File and Directory Discovery, Remote File Copy, Rundll32
S0254PLAINTEEBypass User Account Control, Command-Line Interface, Custom Command and Control Protocol, Custom Cryptographic Protocol, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, System Information Discovery, System Network Configuration Discovery
S0075RegCredentials in Registry, Modify Registry, Query Registry