Analysis
-
max time kernel
70s -
max time network
18s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
Resource
win10v20210408
General
-
Target
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
-
Size
47KB
-
MD5
f7c48ee1f3ee1b18d255ad98703a5896
-
SHA1
7c3a082237504d3bf36e47b986e02e014a2b8abc
-
SHA256
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
-
SHA512
5d5dd72488555f937aa23e674b69a0fc1eaeda38f66450858f3e9b8fe55160a02ece08ed4b6475a62810ebd24b2e2d83ae08ebf2df54b39c174f05027bb608ce
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_3CA64D43.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ExportReceive.tiff c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Users\Admin\Pictures\MeasureUpdate.tiff c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Users\Admin\Pictures\UndoRead.tiff c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File renamed C:\Users\Admin\Pictures\UndoRead.tiff => C:\Users\Admin\Pictures\UndoRead.tiff.ragnar_3CA64D43 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File renamed C:\Users\Admin\Pictures\ExportReceive.tiff => C:\Users\Admin\Pictures\ExportReceive.tiff.ragnar_3CA64D43 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File renamed C:\Users\Admin\Pictures\MeasureUpdate.tiff => C:\Users\Admin\Pictures\MeasureUpdate.tiff.ragnar_3CA64D43 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jre7\lib\ext\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OEMPRINT.CAT c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01468_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0304933.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLADDR.FAE c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jre7\lib\zi\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Windows Sidebar\en-US\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\RGNR_3CA64D43.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\7-Zip\readme.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_F_COL.HXK c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241077.WMF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1540 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1720 notepad.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1560 wmic.exe Token: SeSecurityPrivilege 1560 wmic.exe Token: SeTakeOwnershipPrivilege 1560 wmic.exe Token: SeLoadDriverPrivilege 1560 wmic.exe Token: SeSystemProfilePrivilege 1560 wmic.exe Token: SeSystemtimePrivilege 1560 wmic.exe Token: SeProfSingleProcessPrivilege 1560 wmic.exe Token: SeIncBasePriorityPrivilege 1560 wmic.exe Token: SeCreatePagefilePrivilege 1560 wmic.exe Token: SeBackupPrivilege 1560 wmic.exe Token: SeRestorePrivilege 1560 wmic.exe Token: SeShutdownPrivilege 1560 wmic.exe Token: SeDebugPrivilege 1560 wmic.exe Token: SeSystemEnvironmentPrivilege 1560 wmic.exe Token: SeRemoteShutdownPrivilege 1560 wmic.exe Token: SeUndockPrivilege 1560 wmic.exe Token: SeManageVolumePrivilege 1560 wmic.exe Token: 33 1560 wmic.exe Token: 34 1560 wmic.exe Token: 35 1560 wmic.exe Token: SeBackupPrivilege 436 vssvc.exe Token: SeRestorePrivilege 436 vssvc.exe Token: SeAuditPrivilege 436 vssvc.exe Token: SeIncreaseQuotaPrivilege 1560 wmic.exe Token: SeSecurityPrivilege 1560 wmic.exe Token: SeTakeOwnershipPrivilege 1560 wmic.exe Token: SeLoadDriverPrivilege 1560 wmic.exe Token: SeSystemProfilePrivilege 1560 wmic.exe Token: SeSystemtimePrivilege 1560 wmic.exe Token: SeProfSingleProcessPrivilege 1560 wmic.exe Token: SeIncBasePriorityPrivilege 1560 wmic.exe Token: SeCreatePagefilePrivilege 1560 wmic.exe Token: SeBackupPrivilege 1560 wmic.exe Token: SeRestorePrivilege 1560 wmic.exe Token: SeShutdownPrivilege 1560 wmic.exe Token: SeDebugPrivilege 1560 wmic.exe Token: SeSystemEnvironmentPrivilege 1560 wmic.exe Token: SeRemoteShutdownPrivilege 1560 wmic.exe Token: SeUndockPrivilege 1560 wmic.exe Token: SeManageVolumePrivilege 1560 wmic.exe Token: 33 1560 wmic.exe Token: 34 1560 wmic.exe Token: 35 1560 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 308 wrote to memory of 1560 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 29 PID 308 wrote to memory of 1560 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 29 PID 308 wrote to memory of 1560 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 29 PID 308 wrote to memory of 1560 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 29 PID 308 wrote to memory of 1540 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 31 PID 308 wrote to memory of 1540 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 31 PID 308 wrote to memory of 1540 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 31 PID 308 wrote to memory of 1540 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 31 PID 308 wrote to memory of 1720 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 36 PID 308 wrote to memory of 1720 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 36 PID 308 wrote to memory of 1720 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 36 PID 308 wrote to memory of 1720 308 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe"C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1540
-
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_3CA64D43.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1720
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436