ragnarlocker | b0d8f9aa9566245362d7e7443ab4add80ce90fbdf35a30df9a89e9dae5f22190

Analysis

max time kernel
226s
max time network
1555s
platform
windows11_x64
resource
win11
submitted
27-10-2021 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Score

10^/10

ragnarlocker bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_29E32B36.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Signatures

RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_29E32B36.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-400.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-80.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\Assets\Fonts\SetMDL2.ttf	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\Icon_Xbox_PhotosSplashWideTile.scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELM	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare50x50Logo.scale-400.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\VideoEditor\contrast-black\VideoEditorAppList.targetsize-40_altform-lightunplated_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Icon.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\VideoEditor\contrast-black\VideoEditorAppList.targetsize-96_altform-lightunplated_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.28.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_contrast-white.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2105.41472.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-48_contrast-white.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.41203.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2021.105.10.0_x64__8wekyb3d8bbwe\LensSDK\Assets\EnsoUI\RGNR_29E32B36.txt	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-lightunplated.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\as.pak	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe\Windows.ApplicationModel.Calls.Background.CallsBackgroundContract.winmd	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.4.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\OUTRO_300px\OUTRO_300px.73.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\hi.pak.DATA	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.41203.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCard.base.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\MEIPreload\preloaded_data.pb	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.42.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80_altform-unplated.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-257790753-2419383948-818201544-1000-MergedResources-2.pri	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-100.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21061.10121.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.4.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-24_altform-lightunplated_contrast-white.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\version.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2021.105.10.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-36_altform-unplated.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-64_altform-lightunplated.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.41203.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2021.2105.4.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.28.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\Assets\contrast-black\WindowsSecurityLargeTile.scale-200_contrast-black.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Data\StreamingAssets\10297_ag_bokeh_sparkles	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-100.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsAppList.scale-200.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\txtfile.targetsize-40.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.9.1942.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-125.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Breadcrumb\Breadcrumb.base.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.38.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-100.png	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\GroupedList.js	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000312b64fa169c92a50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000400600000000ffffffff000000002700010000080000312b64fa00000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005006000000000000a0f93f000000ffffffff000000000701010000280300312b64fa00000000000050060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2972	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5076	notepad.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: 36	2904	wmic.exe
Token: SeBackupPrivilege	4492	vssvc.exe
Token: SeRestorePrivilege	4492	vssvc.exe
Token: SeAuditPrivilege	4492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: 36	2904	wmic.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2904	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	80
PID 3440 wrote to memory of 2904	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	80
PID 3440 wrote to memory of 2972	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	82
PID 3440 wrote to memory of 2972	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	82
PID 3440 wrote to memory of 5076	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	93
PID 3440 wrote to memory of 5076	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	93
PID 3440 wrote to memory of 5076	3440	ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe	93

C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe
"C:\Users\Admin\AppData\Local\Temp\ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597.sample.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2972
- C:\Windows\SysWOW64\notepad.exe
  C:\Users\Public\Documents\RGNR_29E32B36.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads