Analysis
-
max time kernel
55s -
max time network
52s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Resource
win10v20210410
General
-
Target
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
-
Size
39KB
-
MD5
7529e3c83618f5e3a4cc6dbf3a8534a6
-
SHA1
0f944504eebfca5466b6113853b0d83e38cf885a
-
SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
-
SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_3CA64D43.txt
cargowelcome@protonmail.com
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\NewFind.raw => C:\Users\Admin\Pictures\NewFind.raw.ragnar_3CA64D43 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File renamed C:\Users\Admin\Pictures\RedoImport.crw => C:\Users\Admin\Pictures\RedoImport.crw.ragnar_3CA64D43 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File renamed C:\Users\Admin\Pictures\RenameLimit.tif => C:\Users\Admin\Pictures\RenameLimit.tif.ragnar_3CA64D43 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exedescription ioc process File opened (read-only) \??\E: ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18199_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14869_.GIF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00914_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Premium.css ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBCN6.CHM ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_es.properties ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.DPV ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\RGNR_3CA64D43.txt ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1476 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1108 notepad.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2016 wmic.exe Token: SeSecurityPrivilege 2016 wmic.exe Token: SeTakeOwnershipPrivilege 2016 wmic.exe Token: SeLoadDriverPrivilege 2016 wmic.exe Token: SeSystemProfilePrivilege 2016 wmic.exe Token: SeSystemtimePrivilege 2016 wmic.exe Token: SeProfSingleProcessPrivilege 2016 wmic.exe Token: SeIncBasePriorityPrivilege 2016 wmic.exe Token: SeCreatePagefilePrivilege 2016 wmic.exe Token: SeBackupPrivilege 2016 wmic.exe Token: SeRestorePrivilege 2016 wmic.exe Token: SeShutdownPrivilege 2016 wmic.exe Token: SeDebugPrivilege 2016 wmic.exe Token: SeSystemEnvironmentPrivilege 2016 wmic.exe Token: SeRemoteShutdownPrivilege 2016 wmic.exe Token: SeUndockPrivilege 2016 wmic.exe Token: SeManageVolumePrivilege 2016 wmic.exe Token: 33 2016 wmic.exe Token: 34 2016 wmic.exe Token: 35 2016 wmic.exe Token: SeBackupPrivilege 1764 vssvc.exe Token: SeRestorePrivilege 1764 vssvc.exe Token: SeAuditPrivilege 1764 vssvc.exe Token: SeIncreaseQuotaPrivilege 2016 wmic.exe Token: SeSecurityPrivilege 2016 wmic.exe Token: SeTakeOwnershipPrivilege 2016 wmic.exe Token: SeLoadDriverPrivilege 2016 wmic.exe Token: SeSystemProfilePrivilege 2016 wmic.exe Token: SeSystemtimePrivilege 2016 wmic.exe Token: SeProfSingleProcessPrivilege 2016 wmic.exe Token: SeIncBasePriorityPrivilege 2016 wmic.exe Token: SeCreatePagefilePrivilege 2016 wmic.exe Token: SeBackupPrivilege 2016 wmic.exe Token: SeRestorePrivilege 2016 wmic.exe Token: SeShutdownPrivilege 2016 wmic.exe Token: SeDebugPrivilege 2016 wmic.exe Token: SeSystemEnvironmentPrivilege 2016 wmic.exe Token: SeRemoteShutdownPrivilege 2016 wmic.exe Token: SeUndockPrivilege 2016 wmic.exe Token: SeManageVolumePrivilege 2016 wmic.exe Token: 33 2016 wmic.exe Token: 34 2016 wmic.exe Token: 35 2016 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exedescription pid process target process PID 1116 wrote to memory of 2016 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe wmic.exe PID 1116 wrote to memory of 2016 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe wmic.exe PID 1116 wrote to memory of 2016 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe wmic.exe PID 1116 wrote to memory of 2016 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe wmic.exe PID 1116 wrote to memory of 1476 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe vssadmin.exe PID 1116 wrote to memory of 1476 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe vssadmin.exe PID 1116 wrote to memory of 1476 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe vssadmin.exe PID 1116 wrote to memory of 1476 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe vssadmin.exe PID 1116 wrote to memory of 1108 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe notepad.exe PID 1116 wrote to memory of 1108 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe notepad.exe PID 1116 wrote to memory of 1108 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe notepad.exe PID 1116 wrote to memory of 1108 1116 ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe"C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_3CA64D43.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_3CA64D43.txtMD5
0880547340d1b849a7d4faaf04b6f905
SHA137fa5848977fd39df901be01c75b8f8320b46322
SHA25684449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25
SHA5129048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91
-
memory/1108-62-0x0000000000000000-mapping.dmp
-
memory/1116-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1476-61-0x0000000000000000-mapping.dmp
-
memory/2016-60-0x0000000000000000-mapping.dmp