ragnarlocker | ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

Analysis

max time kernel
300s
max time network
378s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Size

39KB
MD5

7529e3c83618f5e3a4cc6dbf3a8534a6
SHA1

0f944504eebfca5466b6113853b0d83e38cf885a
SHA256

ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
SHA512

7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Score

10^/10

ragnarlocker bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_7E8535F5.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Signatures

RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\autumn.mobile.jpg	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\xboxservices.config	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.PostalAddress.ot	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Mummys_Boy_.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_48x48x32.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\ui-strings.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_altform-unplated_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CubeTile_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\us_16x11.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-400.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_48x48x32.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-100.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shuttle.3mf	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RGNR_7E8535F5.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4052	vssadmin.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2316	notepad.exe
1492	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe
Token: SeSystemProfilePrivilege	2612	wmic.exe
Token: SeSystemtimePrivilege	2612	wmic.exe
Token: SeProfSingleProcessPrivilege	2612	wmic.exe
Token: SeIncBasePriorityPrivilege	2612	wmic.exe
Token: SeCreatePagefilePrivilege	2612	wmic.exe
Token: SeBackupPrivilege	2612	wmic.exe
Token: SeRestorePrivilege	2612	wmic.exe
Token: SeShutdownPrivilege	2612	wmic.exe
Token: SeDebugPrivilege	2612	wmic.exe
Token: SeSystemEnvironmentPrivilege	2612	wmic.exe
Token: SeRemoteShutdownPrivilege	2612	wmic.exe
Token: SeUndockPrivilege	2612	wmic.exe
Token: SeManageVolumePrivilege	2612	wmic.exe
Token: 33	2612	wmic.exe
Token: 34	2612	wmic.exe
Token: 35	2612	wmic.exe
Token: 36	2612	wmic.exe
Token: SeBackupPrivilege	652	vssvc.exe
Token: SeRestorePrivilege	652	vssvc.exe
Token: SeAuditPrivilege	652	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe
Token: SeSystemProfilePrivilege	2612	wmic.exe
Token: SeSystemtimePrivilege	2612	wmic.exe
Token: SeProfSingleProcessPrivilege	2612	wmic.exe
Token: SeIncBasePriorityPrivilege	2612	wmic.exe
Token: SeCreatePagefilePrivilege	2612	wmic.exe
Token: SeBackupPrivilege	2612	wmic.exe
Token: SeRestorePrivilege	2612	wmic.exe
Token: SeShutdownPrivilege	2612	wmic.exe
Token: SeDebugPrivilege	2612	wmic.exe
Token: SeSystemEnvironmentPrivilege	2612	wmic.exe
Token: SeRemoteShutdownPrivilege	2612	wmic.exe
Token: SeUndockPrivilege	2612	wmic.exe
Token: SeManageVolumePrivilege	2612	wmic.exe
Token: 33	2612	wmic.exe
Token: 34	2612	wmic.exe
Token: 35	2612	wmic.exe
Token: 36	2612	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1492	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2612	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	73
PID 4256 wrote to memory of 2612	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	73
PID 4256 wrote to memory of 4052	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	74
PID 4256 wrote to memory of 4052	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	74
PID 4256 wrote to memory of 2316	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	82
PID 4256 wrote to memory of 2316	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	82
PID 4256 wrote to memory of 2316	4256	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	82

C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
"C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4052
- C:\Windows\SysWOW64\notepad.exe
  C:\Users\Public\Documents\RGNR_7E8535F5.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RGNR_7E8535F5.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact