Analysis
-
max time kernel
181s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
Resource
win10v20210408
General
-
Target
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
-
Size
47KB
-
MD5
f7c48ee1f3ee1b18d255ad98703a5896
-
SHA1
7c3a082237504d3bf36e47b986e02e014a2b8abc
-
SHA256
c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
-
SHA512
5d5dd72488555f937aa23e674b69a0fc1eaeda38f66450858f3e9b8fe55160a02ece08ed4b6475a62810ebd24b2e2d83ae08ebf2df54b39c174f05027bb608ce
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_B408CE06.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Reference Assemblies\Microsoft\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\cldrdata.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\RGNR_B408CE06.txt c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2216 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 3868 vssvc.exe Token: SeRestorePrivilege 3868 vssvc.exe Token: SeAuditPrivilege 3868 vssvc.exe Token: SeIncreaseQuotaPrivilege 4044 wmic.exe Token: SeSecurityPrivilege 4044 wmic.exe Token: SeTakeOwnershipPrivilege 4044 wmic.exe Token: SeLoadDriverPrivilege 4044 wmic.exe Token: SeSystemProfilePrivilege 4044 wmic.exe Token: SeSystemtimePrivilege 4044 wmic.exe Token: SeProfSingleProcessPrivilege 4044 wmic.exe Token: SeIncBasePriorityPrivilege 4044 wmic.exe Token: SeCreatePagefilePrivilege 4044 wmic.exe Token: SeBackupPrivilege 4044 wmic.exe Token: SeRestorePrivilege 4044 wmic.exe Token: SeShutdownPrivilege 4044 wmic.exe Token: SeDebugPrivilege 4044 wmic.exe Token: SeSystemEnvironmentPrivilege 4044 wmic.exe Token: SeRemoteShutdownPrivilege 4044 wmic.exe Token: SeUndockPrivilege 4044 wmic.exe Token: SeManageVolumePrivilege 4044 wmic.exe Token: 33 4044 wmic.exe Token: 34 4044 wmic.exe Token: 35 4044 wmic.exe Token: 36 4044 wmic.exe Token: SeIncreaseQuotaPrivilege 4044 wmic.exe Token: SeSecurityPrivilege 4044 wmic.exe Token: SeTakeOwnershipPrivilege 4044 wmic.exe Token: SeLoadDriverPrivilege 4044 wmic.exe Token: SeSystemProfilePrivilege 4044 wmic.exe Token: SeSystemtimePrivilege 4044 wmic.exe Token: SeProfSingleProcessPrivilege 4044 wmic.exe Token: SeIncBasePriorityPrivilege 4044 wmic.exe Token: SeCreatePagefilePrivilege 4044 wmic.exe Token: SeBackupPrivilege 4044 wmic.exe Token: SeRestorePrivilege 4044 wmic.exe Token: SeShutdownPrivilege 4044 wmic.exe Token: SeDebugPrivilege 4044 wmic.exe Token: SeSystemEnvironmentPrivilege 4044 wmic.exe Token: SeRemoteShutdownPrivilege 4044 wmic.exe Token: SeUndockPrivilege 4044 wmic.exe Token: SeManageVolumePrivilege 4044 wmic.exe Token: 33 4044 wmic.exe Token: 34 4044 wmic.exe Token: 35 4044 wmic.exe Token: 36 4044 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 580 wrote to memory of 4044 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 79 PID 580 wrote to memory of 4044 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 79 PID 580 wrote to memory of 2216 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 80 PID 580 wrote to memory of 2216 580 c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe"C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2216
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868