Tactics, Techniques and Procedures for  Safepay



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Credential Access (TA0006) Discovery (TA0007) Lateral Movement (TA0008) Collection (TA0009) Exfiltration (TA0010) Impact (TA0040)
Valid Accounts (T1078)
The threat actor accessed the endpoint via Remote Desktop Protocol (RDP) using valid credentials.
Command and Scripting Interpreter (T1059)
Utilized PowerShell scripts, such as ShareFinder.ps1, to execute commands on the compromised system.
Valid Accounts (T1078)
Maintained access through the use of compromised valid accounts.
Valid Accounts (T1078)
Escalated privileges by leveraging valid domain accounts.
Disable or Modify Tools (T1562.001)
Disabled Windows Defender using a sequence of LOLBin commands to evade detection.
OS Credential Dumping (T1003)
Employed tools like lsassy.py to dump credentials from the operating system.
Domain Trust Discovery (T1482)
Conducted domain trust discovery using commands like 'net group domain admins /domain' and 'nltest.exe'.
Remote Services (T1021)
Moved laterally within the network using Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI).
Archive Collected Data (T1560)
Archived files using WinRAR with specific command-line options to prepare data for exfiltration.
Exfiltration Over Web Service (T1567.002)
Utilized MEGASync to exfiltrate data over a web service.
Data Encrypted for Impact (T1486)
Encrypted files and appended the '.safepay' extension, leaving a ransom note named 'readme_safepay.txt'.
Windows Management Instrumentation (T1047)
Employed WMI commands to execute processes on remote systems.
Inhibit System Recovery (T1490)
Deleted volume shadow copies to inhibit system recovery.

This information is provided by Crocodyli or Ransomware.live