Analysis
-
max time kernel
62s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe
Resource
win10v20210410
General
-
Target
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe
-
Size
798KB
-
MD5
987bcd521229b303fbe384def3b9be24
-
SHA1
81606251ea97a89f483a675bc819d545e7ff515a
-
SHA256
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36
-
SHA512
d8af7542607e2c9aace36accd594ef41c1334010917c64f7dfba806ca795715cfd967963924f732c2d4ebe7c36282bf8f96f6d971265c2a7b4b94c6d259e99b5
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_A3ED31EC.txt
hello_psecu@protonmail.com
1E6EjTqYPHLj1uovPKKRXzMpPCcpAcVuiU
https://tox.chat/download.html
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\InvokeConnect.png => C:\Users\Admin\Pictures\InvokeConnect.png.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File renamed C:\Users\Admin\Pictures\MergeProtect.tif => C:\Users\Admin\Pictures\MergeProtect.tif.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File renamed C:\Users\Admin\Pictures\MergeUnlock.tif => C:\Users\Admin\Pictures\MergeUnlock.tif.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Users\Admin\Pictures\PingGrant.tiff 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File renamed C:\Users\Admin\Pictures\PingGrant.tiff => C:\Users\Admin\Pictures\PingGrant.tiff.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File renamed C:\Users\Admin\Pictures\UninstallSync.tif => C:\Users\Admin\Pictures\UninstallSync.tif.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File renamed C:\Users\Admin\Pictures\DisconnectCheckpoint.crw => C:\Users\Admin\Pictures\DisconnectCheckpoint.crw.ragnar_A3ED31EC 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe -
Drops startup file 1 IoCs
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription ioc process File opened (read-only) \??\E: 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\pizza.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-150.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\SmallTile.scale-200.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-200.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Reference Assemblies\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-150.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_myGames.targetsize-48.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-unplated.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-white.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg3.jpg 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-48.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-400.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48_altform-unplated.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-100.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-150.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-400.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\ui-strings.js 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\RGNR_A3ED31EC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\196.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\_Resources\index.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2312 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3116 notepad.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2316 wmic.exe Token: SeSecurityPrivilege 2316 wmic.exe Token: SeTakeOwnershipPrivilege 2316 wmic.exe Token: SeLoadDriverPrivilege 2316 wmic.exe Token: SeSystemProfilePrivilege 2316 wmic.exe Token: SeSystemtimePrivilege 2316 wmic.exe Token: SeProfSingleProcessPrivilege 2316 wmic.exe Token: SeIncBasePriorityPrivilege 2316 wmic.exe Token: SeCreatePagefilePrivilege 2316 wmic.exe Token: SeBackupPrivilege 2316 wmic.exe Token: SeRestorePrivilege 2316 wmic.exe Token: SeShutdownPrivilege 2316 wmic.exe Token: SeDebugPrivilege 2316 wmic.exe Token: SeSystemEnvironmentPrivilege 2316 wmic.exe Token: SeRemoteShutdownPrivilege 2316 wmic.exe Token: SeUndockPrivilege 2316 wmic.exe Token: SeManageVolumePrivilege 2316 wmic.exe Token: 33 2316 wmic.exe Token: 34 2316 wmic.exe Token: 35 2316 wmic.exe Token: 36 2316 wmic.exe Token: SeBackupPrivilege 2984 vssvc.exe Token: SeRestorePrivilege 2984 vssvc.exe Token: SeAuditPrivilege 2984 vssvc.exe Token: SeIncreaseQuotaPrivilege 2316 wmic.exe Token: SeSecurityPrivilege 2316 wmic.exe Token: SeTakeOwnershipPrivilege 2316 wmic.exe Token: SeLoadDriverPrivilege 2316 wmic.exe Token: SeSystemProfilePrivilege 2316 wmic.exe Token: SeSystemtimePrivilege 2316 wmic.exe Token: SeProfSingleProcessPrivilege 2316 wmic.exe Token: SeIncBasePriorityPrivilege 2316 wmic.exe Token: SeCreatePagefilePrivilege 2316 wmic.exe Token: SeBackupPrivilege 2316 wmic.exe Token: SeRestorePrivilege 2316 wmic.exe Token: SeShutdownPrivilege 2316 wmic.exe Token: SeDebugPrivilege 2316 wmic.exe Token: SeSystemEnvironmentPrivilege 2316 wmic.exe Token: SeRemoteShutdownPrivilege 2316 wmic.exe Token: SeUndockPrivilege 2316 wmic.exe Token: SeManageVolumePrivilege 2316 wmic.exe Token: 33 2316 wmic.exe Token: 34 2316 wmic.exe Token: 35 2316 wmic.exe Token: 36 2316 wmic.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exedescription pid process target process PID 4036 wrote to memory of 2316 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe wmic.exe PID 4036 wrote to memory of 2316 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe wmic.exe PID 4036 wrote to memory of 2312 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe vssadmin.exe PID 4036 wrote to memory of 2312 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe vssadmin.exe PID 4036 wrote to memory of 3116 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe notepad.exe PID 4036 wrote to memory of 3116 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe notepad.exe PID 4036 wrote to memory of 3116 4036 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe"C:\Users\Admin\AppData\Local\Temp\0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_A3ED31EC.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_A3ED31EC.txtMD5
a542fcfee82ad3375a5adf7df8997d88
SHA1b6a001fae92f9e8f4d580438b7170fd29d4f0722
SHA25611d42766b1cb0b76e7d3d040ddd90ea8243992145d831852b277e3b0d670f1e0
SHA51289a81e4ea3746d4c880fe7a50f00b259c66938eb776a43c9f6518bdb3f3f3f4808a120451e09e3bbe82b5175924d17aaf36a9b60f4530888d1d1fb985ffd76e0
-
memory/2312-115-0x0000000000000000-mapping.dmp
-
memory/2316-114-0x0000000000000000-mapping.dmp
-
memory/3116-116-0x0000000000000000-mapping.dmp