Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
ragnar_locker_EDP (2).exe
Resource
win7
Behavioral task
behavioral2
Sample
ragnar_locker_EDP (2).exe
Resource
win10v200722
General
-
Target
ragnar_locker_EDP (2).exe
-
Size
47KB
-
MD5
f7c48ee1f3ee1b18d255ad98703a5896
-
SHA1
7c3a082237504d3bf36e47b986e02e014a2b8abc
-
SHA256
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
-
SHA512
5d5dd72488555f937aa23e674b69a0fc1eaeda38f66450858f3e9b8fe55160a02ece08ed4b6475a62810ebd24b2e2d83ae08ebf2df54b39c174f05027bb608ce
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_C37F73E1.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Suspicious behavior: EnumeratesProcesses 100 IoCs
Processes:
ragnar_locker_EDP (2).exepid process 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe 3908 ragnar_locker_EDP (2).exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 416 wmic.exe Token: SeSecurityPrivilege 416 wmic.exe Token: SeTakeOwnershipPrivilege 416 wmic.exe Token: SeLoadDriverPrivilege 416 wmic.exe Token: SeSystemProfilePrivilege 416 wmic.exe Token: SeSystemtimePrivilege 416 wmic.exe Token: SeProfSingleProcessPrivilege 416 wmic.exe Token: SeIncBasePriorityPrivilege 416 wmic.exe Token: SeCreatePagefilePrivilege 416 wmic.exe Token: SeBackupPrivilege 416 wmic.exe Token: SeRestorePrivilege 416 wmic.exe Token: SeShutdownPrivilege 416 wmic.exe Token: SeDebugPrivilege 416 wmic.exe Token: SeSystemEnvironmentPrivilege 416 wmic.exe Token: SeRemoteShutdownPrivilege 416 wmic.exe Token: SeUndockPrivilege 416 wmic.exe Token: SeManageVolumePrivilege 416 wmic.exe Token: 33 416 wmic.exe Token: 34 416 wmic.exe Token: 35 416 wmic.exe Token: 36 416 wmic.exe Token: SeBackupPrivilege 1416 vssvc.exe Token: SeRestorePrivilege 1416 vssvc.exe Token: SeAuditPrivilege 1416 vssvc.exe Token: SeIncreaseQuotaPrivilege 416 wmic.exe Token: SeSecurityPrivilege 416 wmic.exe Token: SeTakeOwnershipPrivilege 416 wmic.exe Token: SeLoadDriverPrivilege 416 wmic.exe Token: SeSystemProfilePrivilege 416 wmic.exe Token: SeSystemtimePrivilege 416 wmic.exe Token: SeProfSingleProcessPrivilege 416 wmic.exe Token: SeIncBasePriorityPrivilege 416 wmic.exe Token: SeCreatePagefilePrivilege 416 wmic.exe Token: SeBackupPrivilege 416 wmic.exe Token: SeRestorePrivilege 416 wmic.exe Token: SeShutdownPrivilege 416 wmic.exe Token: SeDebugPrivilege 416 wmic.exe Token: SeSystemEnvironmentPrivilege 416 wmic.exe Token: SeRemoteShutdownPrivilege 416 wmic.exe Token: SeUndockPrivilege 416 wmic.exe Token: SeManageVolumePrivilege 416 wmic.exe Token: 33 416 wmic.exe Token: 34 416 wmic.exe Token: 35 416 wmic.exe Token: 36 416 wmic.exe -
Drops startup file 1 IoCs
Processes:
ragnar_locker_EDP (2).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Drops file in Program Files directory 19504 IoCs
Processes:
ragnar_locker_EDP (2).exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml ragnar_locker_EDP (2).exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1s.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-100.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1 ragnar_locker_EDP (2).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_selected_18.svg ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\TraceProvider.winmd ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF ragnar_locker_EDP (2).exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\SmallTile.scale-200.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png ragnar_locker_EDP (2).exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.boot.tree.dat ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_1d.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_40x40x32.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\SmallLogo.scale-100.png ragnar_locker_EDP (2).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\friends_activity.png ragnar_locker_EDP (2).exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\management.properties ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\Office.x-none.msi.16_PostCommon.Office.x-none.mcxml ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\micaut.dll.mui ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ProjectionSpheric.scale-100.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_32x32x32.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-100.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-300.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-125.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Windows Defender\en-US\ProtectionManagement_Uninstall.mfl ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-125.png ragnar_locker_EDP (2).exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11d.png ragnar_locker_EDP (2).exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigEar.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png ragnar_locker_EDP (2).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\RGNR_C37F73E1.txt ragnar_locker_EDP (2).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\ui-strings.js ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms ragnar_locker_EDP (2).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms ragnar_locker_EDP (2).exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ragnar_locker_EDP (2).exedescription pid process target process PID 3908 wrote to memory of 416 3908 ragnar_locker_EDP (2).exe wmic.exe PID 3908 wrote to memory of 416 3908 ragnar_locker_EDP (2).exe wmic.exe PID 3908 wrote to memory of 792 3908 ragnar_locker_EDP (2).exe vssadmin.exe PID 3908 wrote to memory of 792 3908 ragnar_locker_EDP (2).exe vssadmin.exe PID 3908 wrote to memory of 416 3908 ragnar_locker_EDP (2).exe notepad.exe PID 3908 wrote to memory of 416 3908 ragnar_locker_EDP (2).exe notepad.exe PID 3908 wrote to memory of 416 3908 ragnar_locker_EDP (2).exe notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 792 vssadmin.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ragnar_locker_EDP (2).exedescription ioc process File renamed C:\Users\Admin\Pictures\TraceInvoke.raw => C:\Users\Admin\Pictures\TraceInvoke.raw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\OutJoin.tif => C:\Users\Admin\Pictures\OutJoin.tif.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\PushStep.png => C:\Users\Admin\Pictures\PushStep.png.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\ReadFind.raw => C:\Users\Admin\Pictures\ReadFind.raw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\UpdateDebug.raw => C:\Users\Admin\Pictures\UpdateDebug.raw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\ResolveLimit.tiff => C:\Users\Admin\Pictures\ResolveLimit.tiff.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\WatchTest.crw => C:\Users\Admin\Pictures\WatchTest.crw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\SplitJoin.crw => C:\Users\Admin\Pictures\SplitJoin.crw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\CheckpointLimit.tif => C:\Users\Admin\Pictures\CheckpointLimit.tif.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\ImportUninstall.crw => C:\Users\Admin\Pictures\ImportUninstall.crw.ragnar_C37F73E1 ragnar_locker_EDP (2).exe File opened for modification C:\Users\Admin\Pictures\ResolveLimit.tiff ragnar_locker_EDP (2).exe File renamed C:\Users\Admin\Pictures\WriteSplit.tif => C:\Users\Admin\Pictures\WriteSplit.tif.ragnar_C37F73E1 ragnar_locker_EDP (2).exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 416 notepad.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ragnar_locker_EDP (2).exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ragnar_locker_EDP (2).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (2).exe"C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (2).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_C37F73E1.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_C37F73E1.txt
-
memory/416-100-0x0000000000000000-mapping.dmp
-
memory/416-102-0x0000000000000000-mapping.dmp
-
memory/792-101-0x0000000000000000-mapping.dmp
-
memory/3908-45-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-58-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/3908-9-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-11-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-15-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-19-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-21-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-25-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-31-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-37-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-0-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/3908-47-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-57-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-7-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-59-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-65-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-69-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-77-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-81-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-85-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-95-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-5-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-3-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3908-2-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/3908-1-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB