Incident Score: Analysis & Impact (CIS1775204907)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (95%), supported by evidence indicating dLL side-loading, where a legitimate Windows application loads a rogue *msimg32.dll*. Under the Defense Evasion tactic, the analysis identified Indicator Removal: Clear Windows Event Logs (T1070.001) with high confidence (90%), supported by evidence indicating the malware suppresses security event logging, Impair Defenses: Disable or Modify Tools (T1562.001) with high confidence (95%), supported by evidence indicating disabling over 300 endpoint detection and response (EDR) solutions, Impair Defenses: Impair Command History Logging (T1562.003) with moderate to high confidence (80%), supported by evidence indicating neutralizes user-mode hooks, Native API (T1106) with moderate to high confidence (85%), supported by evidence indicating uses syscall-scanning technique to bypass EDR monitoring, Process Injection: Dynamic-link Library Injection (T1055.001) with high confidence (90%), supported by evidence indicating malicious DLL file to execute entirely in memory, Hide Artifacts: Hidden Window (T1564.003) with moderate to high confidence (80%), supported by evidence indicating uses structured and vectored exception handling to obscure execution, Subvert Trust Controls: Code Signing Policy Modification (T1553.006) with high confidence (90%), supported by evidence indicating temporarily disables Windows Code Integrity enforcement, and Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (85%), supported by evidence indicating rogue *msimg32.dll* instead of the authentic system library. Under the Privilege Escalation tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (85%), supported by evidence indicating loads two kernel-level drivers such as *rwdrv.sys* and *hlpdrv.sys* and Exploitation for Privilege Escalation (T1068) with high confidence (90%), supported by evidence indicating escalates privileges and loads kernel-level drivers. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (70%), supported by evidence indicating malicious DLL triggers its hidden payload during initialization and Exploitation for Client Execution (T1203) with moderate to high confidence (80%), supported by evidence indicating dLL side-loading to execute rogue *msimg32.dll*. Under the Discovery tactic, the analysis identified System Location Discovery: System Language Discovery (T1614.001) with high confidence (90%), supported by evidence indicating checks the system’s language settings, crashing if post-Soviet language packs are detected. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), supported by evidence indicating ransomware payload encrypted in memory, final payload is ransomware. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.