Analysis
-
max time kernel
71s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
03-08-2020 10:01
Static task
static1
Behavioral task
behavioral1
Sample
ragnar_locker_EDP (4).exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
ragnar_locker_EDP (4).exe
Resource
win10
General
-
Target
ragnar_locker_EDP (4).exe
-
Size
116KB
-
MD5
63241a7a39692f90328a72c0e9826afd
-
SHA1
016ef5b9e91eb9a90af39dbb2c66fe527de12f92
-
SHA256
30dcc7a8ae98e52ee5547379048ca1fc90925e09a2a81c055021ba225c1d064c
-
SHA512
6a758b525c665c45770b18d84f2cb8a38b45d8093558bf15f5e7f53283c0352bd9afd54cfdac21e3deaf146fb840ba5ba32b9da765902f36ef7aa126cc8287c1
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_2D08E9B5.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Suspicious behavior: EnumeratesProcesses 100 IoCs
Processes:
ragnar_locker_EDP (4).exepid process 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe 3920 ragnar_locker_EDP (4).exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 19475 IoCs
Processes:
ragnar_locker_EDP (4).exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-125.png ragnar_locker_EDP (4).exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\brush_bristles.png ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms ragnar_locker_EDP (4).exe File created C:\Program Files\Microsoft Office 15\ClientX64\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\174.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.scale-150.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7205_24x24x32.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml ragnar_locker_EDP (4).exe File created C:\Program Files\Windows Photo Viewer\en-US\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-colorize.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-400.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-200.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.surprise.scale-200.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\dismiss.contrast-white.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_40x40x32.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ragnar_locker_EDP (4).exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-colorize.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-unplated_contrast-white.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js ragnar_locker_EDP (4).exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.Tests.ps1 ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Windows Defender\Defendericon.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\bouquet.jpg ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\commoneffectsassets.xml ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Xlate_Init.xsn ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.targetsize-24_altform-unplated.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\FilesystemMetadata.xml ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-20.png ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-black.png ragnar_locker_EDP (4).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated_contrast-white.png ragnar_locker_EDP (4).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe -
Drops startup file 1 IoCs
Processes:
ragnar_locker_EDP (4).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_2D08E9B5.txt ragnar_locker_EDP (4).exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 852 notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1732 vssadmin.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ragnar_locker_EDP (4).exedescription ioc process File renamed C:\Users\Admin\Pictures\JoinResume.tiff => C:\Users\Admin\Pictures\JoinResume.tiff.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\SearchConvertFrom.tif => C:\Users\Admin\Pictures\SearchConvertFrom.tif.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File opened for modification C:\Users\Admin\Pictures\LockSubmit.tiff ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\ClearOptimize.tif => C:\Users\Admin\Pictures\ClearOptimize.tif.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File opened for modification C:\Users\Admin\Pictures\ConvertFromSkip.tiff ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\ConvertFromSkip.tiff => C:\Users\Admin\Pictures\ConvertFromSkip.tiff.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File opened for modification C:\Users\Admin\Pictures\JoinResume.tiff ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\InvokeStep.tif => C:\Users\Admin\Pictures\InvokeStep.tif.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\LockSubmit.tiff => C:\Users\Admin\Pictures\LockSubmit.tiff.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe File renamed C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.ragnar_2D08E9B5 ragnar_locker_EDP (4).exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ragnar_locker_EDP (4).exedescription pid process target process PID 3920 wrote to memory of 2568 3920 ragnar_locker_EDP (4).exe wmic.exe PID 3920 wrote to memory of 2568 3920 ragnar_locker_EDP (4).exe wmic.exe PID 3920 wrote to memory of 1732 3920 ragnar_locker_EDP (4).exe vssadmin.exe PID 3920 wrote to memory of 1732 3920 ragnar_locker_EDP (4).exe vssadmin.exe PID 3920 wrote to memory of 852 3920 ragnar_locker_EDP (4).exe notepad.exe PID 3920 wrote to memory of 852 3920 ragnar_locker_EDP (4).exe notepad.exe PID 3920 wrote to memory of 852 3920 ragnar_locker_EDP (4).exe notepad.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2568 wmic.exe Token: SeSecurityPrivilege 2568 wmic.exe Token: SeTakeOwnershipPrivilege 2568 wmic.exe Token: SeLoadDriverPrivilege 2568 wmic.exe Token: SeSystemProfilePrivilege 2568 wmic.exe Token: SeSystemtimePrivilege 2568 wmic.exe Token: SeProfSingleProcessPrivilege 2568 wmic.exe Token: SeIncBasePriorityPrivilege 2568 wmic.exe Token: SeCreatePagefilePrivilege 2568 wmic.exe Token: SeBackupPrivilege 2568 wmic.exe Token: SeRestorePrivilege 2568 wmic.exe Token: SeShutdownPrivilege 2568 wmic.exe Token: SeDebugPrivilege 2568 wmic.exe Token: SeSystemEnvironmentPrivilege 2568 wmic.exe Token: SeRemoteShutdownPrivilege 2568 wmic.exe Token: SeUndockPrivilege 2568 wmic.exe Token: SeManageVolumePrivilege 2568 wmic.exe Token: 33 2568 wmic.exe Token: 34 2568 wmic.exe Token: 35 2568 wmic.exe Token: 36 2568 wmic.exe Token: SeBackupPrivilege 2100 vssvc.exe Token: SeRestorePrivilege 2100 vssvc.exe Token: SeAuditPrivilege 2100 vssvc.exe Token: SeIncreaseQuotaPrivilege 2568 wmic.exe Token: SeSecurityPrivilege 2568 wmic.exe Token: SeTakeOwnershipPrivilege 2568 wmic.exe Token: SeLoadDriverPrivilege 2568 wmic.exe Token: SeSystemProfilePrivilege 2568 wmic.exe Token: SeSystemtimePrivilege 2568 wmic.exe Token: SeProfSingleProcessPrivilege 2568 wmic.exe Token: SeIncBasePriorityPrivilege 2568 wmic.exe Token: SeCreatePagefilePrivilege 2568 wmic.exe Token: SeBackupPrivilege 2568 wmic.exe Token: SeRestorePrivilege 2568 wmic.exe Token: SeShutdownPrivilege 2568 wmic.exe Token: SeDebugPrivilege 2568 wmic.exe Token: SeSystemEnvironmentPrivilege 2568 wmic.exe Token: SeRemoteShutdownPrivilege 2568 wmic.exe Token: SeUndockPrivilege 2568 wmic.exe Token: SeManageVolumePrivilege 2568 wmic.exe Token: 33 2568 wmic.exe Token: 34 2568 wmic.exe Token: 35 2568 wmic.exe Token: 36 2568 wmic.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ragnar_locker_EDP (4).exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ragnar_locker_EDP (4).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (4).exe"C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (4).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Drops startup file
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_2D08E9B5.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_2D08E9B5.txt
-
memory/852-102-0x0000000000000000-mapping.dmp
-
memory/1732-101-0x0000000000000000-mapping.dmp
-
memory/2568-100-0x0000000000000000-mapping.dmp
-
memory/3920-31-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-49-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-11-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-12-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3920-13-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-15-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-21-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-27-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-0-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3920-37-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-45-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-9-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-61-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-65-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-69-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-73-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-83-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-95-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-7-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-3-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3920-2-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3920-1-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB