Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05/03/2022, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe
Resource
win10v2004-en-20220112
General
-
Target
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe
-
Size
798KB
-
MD5
987bcd521229b303fbe384def3b9be24
-
SHA1
81606251ea97a89f483a675bc819d545e7ff515a
-
SHA256
0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36
-
SHA512
d8af7542607e2c9aace36accd594ef41c1334010917c64f7dfba806ca795715cfd967963924f732c2d4ebe7c36282bf8f96f6d971265c2a7b4b94c6d259e99b5
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_7E64CADC.txt
1E6EjTqYPHLj1uovPKKRXzMpPCcpAcVuiU
https://tox.chat/download.html
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Microsoft Office\root\Licenses\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jdk1.8.0_66\include\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginReport.Dotx 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\jni_md.h 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RGNR_7E64CADC.txt 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002b5b8d01cc3769600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002b5b8d010000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809002b5b8d01000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1584 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2876 wmic.exe Token: SeSecurityPrivilege 2876 wmic.exe Token: SeTakeOwnershipPrivilege 2876 wmic.exe Token: SeLoadDriverPrivilege 2876 wmic.exe Token: SeSystemProfilePrivilege 2876 wmic.exe Token: SeSystemtimePrivilege 2876 wmic.exe Token: SeProfSingleProcessPrivilege 2876 wmic.exe Token: SeIncBasePriorityPrivilege 2876 wmic.exe Token: SeCreatePagefilePrivilege 2876 wmic.exe Token: SeBackupPrivilege 2876 wmic.exe Token: SeRestorePrivilege 2876 wmic.exe Token: SeShutdownPrivilege 2876 wmic.exe Token: SeDebugPrivilege 2876 wmic.exe Token: SeSystemEnvironmentPrivilege 2876 wmic.exe Token: SeRemoteShutdownPrivilege 2876 wmic.exe Token: SeUndockPrivilege 2876 wmic.exe Token: SeManageVolumePrivilege 2876 wmic.exe Token: 33 2876 wmic.exe Token: 34 2876 wmic.exe Token: 35 2876 wmic.exe Token: 36 2876 wmic.exe Token: SeIncreaseQuotaPrivilege 2876 wmic.exe Token: SeSecurityPrivilege 2876 wmic.exe Token: SeTakeOwnershipPrivilege 2876 wmic.exe Token: SeLoadDriverPrivilege 2876 wmic.exe Token: SeSystemProfilePrivilege 2876 wmic.exe Token: SeSystemtimePrivilege 2876 wmic.exe Token: SeProfSingleProcessPrivilege 2876 wmic.exe Token: SeIncBasePriorityPrivilege 2876 wmic.exe Token: SeCreatePagefilePrivilege 2876 wmic.exe Token: SeBackupPrivilege 2876 wmic.exe Token: SeRestorePrivilege 2876 wmic.exe Token: SeShutdownPrivilege 2876 wmic.exe Token: SeDebugPrivilege 2876 wmic.exe Token: SeSystemEnvironmentPrivilege 2876 wmic.exe Token: SeRemoteShutdownPrivilege 2876 wmic.exe Token: SeUndockPrivilege 2876 wmic.exe Token: SeManageVolumePrivilege 2876 wmic.exe Token: 33 2876 wmic.exe Token: 34 2876 wmic.exe Token: 35 2876 wmic.exe Token: 36 2876 wmic.exe Token: SeBackupPrivilege 1276 vssvc.exe Token: SeRestorePrivilege 1276 vssvc.exe Token: SeAuditPrivilege 1276 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1844 wrote to memory of 2876 1844 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe 65 PID 1844 wrote to memory of 2876 1844 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe 65 PID 1844 wrote to memory of 1584 1844 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe 67 PID 1844 wrote to memory of 1584 1844 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe"C:\Users\Admin\AppData\Local\Temp\0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1584
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276