Incident Score: Analysis & Impact (FOR1769045821)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating exploits Fortinet devices using CVE-2025-64446 and External Remote Services (T1133) with moderate to high confidence (80%), supported by evidence indicating attacks exposed RDP services. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating copies itself to temp directory as svchost_random.exe and Command and Scripting Interpreter (T1059) with moderate confidence (60%), supported by evidence indicating performs network reconnaissance via ARP requests. Under the Defense Evasion tactic, the analysis identified Virtualization/Sandbox Evasion (T1497) with high confidence (90%), supported by evidence indicating anti-virtualization phase detects sandbox environments, Masquerading (T1036) with moderate to high confidence (80%), supported by evidence indicating uses fake error messages to evade analysis, and Indicator Removal: Clear Windows Event Logs (T1070.001) with moderate confidence (50%), supported by evidence indicating likely clears logs post-compromise (implied by sophistication). Under the Discovery tactic, the analysis identified System Network Configuration Discovery (T1016) with high confidence (90%), supported by evidence indicating performs aggressive network reconnaissance via ARP requests, File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating harvests browser data, application information, and Remote System Discovery (T1018) with moderate to high confidence (80%), supported by evidence indicating scans for RDP services and lateral movement targets. Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with high confidence (90%), supported by evidence indicating harvests system credentials, browser data, cryptocurrency wallets and OS Credential Dumping (T1003) with moderate to high confidence (70%), supported by evidence indicating collects credentials from Discord, Slack, Telegram. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating packages data into collected_data.zip for exfiltration and Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating harvests browser data, application information systematically. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrates collected_data.zip via file.io and Exfiltration Over Web Service (T1567) with moderate to high confidence (80%), supported by evidence indicating uses file.io for data exfiltration. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating tests connectivity via google.com/generate_204 and Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating likely downloads additional payloads (implied by RaaS sophistication). Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (80%), supported by evidence indicating establishes persistence via registry modifications, Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (80%), supported by evidence indicating creates new services for persistence, and Create Account: Local Account (T1136.001) with high confidence (90%), supported by evidence indicating creates new user accounts with hardcoded credentials. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating uses AES-GCM (256-bit keys) to encrypt files with .sicarii extension, Inhibit System Recovery (T1490) with high confidence (90%), supported by evidence indicating corrupts bootloader files to force system shutdown, and Data Destruction (T1485) with moderate to high confidence (80%), supported by evidence indicating destructive payload beyond typical ransomware tactics. Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with high confidence (90%), supported by evidence indicating exploits CVE-2025-64446 for lateral movement in networks and Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (80%), supported by evidence indicating targets exposed RDP services for lateral movement. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.