Analysis
-
max time kernel
149s -
max time network
69s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
ragnar_locker_EDP (1).exe
Resource
win7
Behavioral task
behavioral2
Sample
ragnar_locker_EDP (1).exe
Resource
win10v200722
General
-
Target
ragnar_locker_EDP (1).exe
-
Size
69KB
-
MD5
00fb3f27bccef7c5658ff9f5ce487cec
-
SHA1
c24fedb9b8a592722d5a9adb34d276fc3b329d6f
-
SHA256
b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
-
SHA512
a2346683bbdb5c7d939c0eaa4fb3a411681fedfbf90bea2866482b699da56aeaa4a5b3ffe5f8f24fdb5f4966dd22b8293ed1ee0eed4552dd9bb81f708e2e0235
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_C37F73E1.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 760 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 19484 IoCs
Processes:
ragnar_locker_EDP (1).exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sb_60x42.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\vn_60x42.png ragnar_locker_EDP (1).exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\Microsoft.Advertising\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Hud\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-colorize.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\goldbar.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_32x32x32.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-125.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48_altform-unplated.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png ragnar_locker_EDP (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\MSCOMCTL.OCX ragnar_locker_EDP (1).exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-125.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\oak.jpg ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-100.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb ragnar_locker_EDP (1).exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png ragnar_locker_EDP (1).exe File created C:\Program Files\VideoLAN\VLC\locale\te\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png ragnar_locker_EDP (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bz_16x11.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-150.png ragnar_locker_EDP (1).exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectSmallTile.scale-100.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\round.mtl ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-125.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-125_contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\cardback.png ragnar_locker_EDP (1).exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Retail\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\ui-strings.js ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\en-us\officemui.msi.16_officemui.mcxml ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\StickySelection.scale-100.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png ragnar_locker_EDP (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf ragnar_locker_EDP (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ragnar_locker_EDP (1).exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromConvertTo.png => C:\Users\Admin\Pictures\ConvertFromConvertTo.png.ragnar_C37F73E1 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\MergeCompress.raw => C:\Users\Admin\Pictures\MergeCompress.raw.ragnar_C37F73E1 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\MoveOpen.tif => C:\Users\Admin\Pictures\MoveOpen.tif.ragnar_C37F73E1 ragnar_locker_EDP (1).exe File renamed C:\Users\Admin\Pictures\ReceiveWait.crw => C:\Users\Admin\Pictures\ReceiveWait.crw.ragnar_C37F73E1 ragnar_locker_EDP (1).exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ragnar_locker_EDP (1).exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ragnar_locker_EDP (1).exe -
Suspicious behavior: EnumeratesProcesses 100 IoCs
Processes:
ragnar_locker_EDP (1).exepid process 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe 852 ragnar_locker_EDP (1).exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ragnar_locker_EDP (1).exedescription pid process target process PID 852 wrote to memory of 3604 852 ragnar_locker_EDP (1).exe wmic.exe PID 852 wrote to memory of 3604 852 ragnar_locker_EDP (1).exe wmic.exe PID 852 wrote to memory of 760 852 ragnar_locker_EDP (1).exe vssadmin.exe PID 852 wrote to memory of 760 852 ragnar_locker_EDP (1).exe vssadmin.exe PID 852 wrote to memory of 244 852 ragnar_locker_EDP (1).exe notepad.exe PID 852 wrote to memory of 244 852 ragnar_locker_EDP (1).exe notepad.exe PID 852 wrote to memory of 244 852 ragnar_locker_EDP (1).exe notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 244 notepad.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3604 wmic.exe Token: SeSecurityPrivilege 3604 wmic.exe Token: SeTakeOwnershipPrivilege 3604 wmic.exe Token: SeLoadDriverPrivilege 3604 wmic.exe Token: SeSystemProfilePrivilege 3604 wmic.exe Token: SeSystemtimePrivilege 3604 wmic.exe Token: SeProfSingleProcessPrivilege 3604 wmic.exe Token: SeIncBasePriorityPrivilege 3604 wmic.exe Token: SeCreatePagefilePrivilege 3604 wmic.exe Token: SeBackupPrivilege 3604 wmic.exe Token: SeRestorePrivilege 3604 wmic.exe Token: SeShutdownPrivilege 3604 wmic.exe Token: SeDebugPrivilege 3604 wmic.exe Token: SeSystemEnvironmentPrivilege 3604 wmic.exe Token: SeRemoteShutdownPrivilege 3604 wmic.exe Token: SeUndockPrivilege 3604 wmic.exe Token: SeManageVolumePrivilege 3604 wmic.exe Token: 33 3604 wmic.exe Token: 34 3604 wmic.exe Token: 35 3604 wmic.exe Token: 36 3604 wmic.exe Token: SeBackupPrivilege 3332 vssvc.exe Token: SeRestorePrivilege 3332 vssvc.exe Token: SeAuditPrivilege 3332 vssvc.exe Token: SeIncreaseQuotaPrivilege 3604 wmic.exe Token: SeSecurityPrivilege 3604 wmic.exe Token: SeTakeOwnershipPrivilege 3604 wmic.exe Token: SeLoadDriverPrivilege 3604 wmic.exe Token: SeSystemProfilePrivilege 3604 wmic.exe Token: SeSystemtimePrivilege 3604 wmic.exe Token: SeProfSingleProcessPrivilege 3604 wmic.exe Token: SeIncBasePriorityPrivilege 3604 wmic.exe Token: SeCreatePagefilePrivilege 3604 wmic.exe Token: SeBackupPrivilege 3604 wmic.exe Token: SeRestorePrivilege 3604 wmic.exe Token: SeShutdownPrivilege 3604 wmic.exe Token: SeDebugPrivilege 3604 wmic.exe Token: SeSystemEnvironmentPrivilege 3604 wmic.exe Token: SeRemoteShutdownPrivilege 3604 wmic.exe Token: SeUndockPrivilege 3604 wmic.exe Token: SeManageVolumePrivilege 3604 wmic.exe Token: 33 3604 wmic.exe Token: 34 3604 wmic.exe Token: 35 3604 wmic.exe Token: 36 3604 wmic.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Drops startup file 1 IoCs
Processes:
ragnar_locker_EDP (1).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_C37F73E1.txt ragnar_locker_EDP (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe"C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe"1⤵
- Drops file in Program Files directory
- Modifies extensions of user files
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops startup file
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_C37F73E1.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_C37F73E1.txt
-
memory/244-102-0x0000000000000000-mapping.dmp
-
memory/760-101-0x0000000000000000-mapping.dmp
-
memory/852-37-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-47-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-9-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-11-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-15-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-19-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-21-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-25-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-31-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-0-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/852-45-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-7-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-59-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-65-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-69-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-81-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-83-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-95-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-1-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-3-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/852-2-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/3604-100-0x0000000000000000-mapping.dmp