Skip to content


PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. 1

Item Value
ID S0254
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control An older variant of PLAINTEE performs UAC bypass.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PLAINTEE gains persistence by adding the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell PLAINTEE uses cmd.exe to execute commands on the victim’s machine.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography PLAINTEE encodes C2 beacons using XOR.1
enterprise T1105 Ingress Tool Transfer PLAINTEE has downloaded and executed additional plugins.1
enterprise T1112 Modify Registry PLAINTEE uses reg add to add a Registry Run key for persistence.1
enterprise T1057 Process Discovery PLAINTEE performs the tasklist command to list running processes.1
enterprise T1082 System Information Discovery PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.1
enterprise T1016 System Network Configuration Discovery PLAINTEE uses the ipconfig /all command to gather the victim’s IP address.1

Groups That Use This Software

ID Name References
G0075 Rancor 1


Back to top