Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [1]

ID: G0075
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Rancor has used HTTP for C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Rancor has used cmd.exe to execute commmands.[1]

.005 Command and Scripting Interpreter: Visual Basic

Rancor has used VBS scripts as well as embedded macros for execution.[1]

Enterprise T1105 Ingress Tool Transfer

Rancor has downloaded additional malware, including by using certutil.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Rancor has attached a malicious document to an email to gain initial access.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.[1]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Rancor has used msiexec to download and execute malicious installer files over HTTP.[1]

Enterprise T1204 .002 User Execution: Malicious File

Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[1]


ID Name References Techniques
S0160 certutil [1] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0255 DDKONG [1] Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, System Binary Proxy Execution: Rundll32
S0254 PLAINTEE [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Modify Registry, Process Discovery, System Information Discovery, System Network Configuration Discovery
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry