Analysis
-
max time kernel
123s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe
Resource
win10v2004-20220901-en
General
-
Target
3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe
-
Size
1.6MB
-
MD5
0a7194829f99e72104cefc3bc791c1e5
-
SHA1
a1979bb993a079f7f8f23b893690985ca8c04da1
-
SHA256
3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215
-
SHA512
5f1cbcda731ee17792305cf4f07494f026594ae3b5b4a4026bb4189bf7dc32c939985e5fde29b19a0bba3b1f1e2d9c857bc37199adedfe8c4603a8e325aaacd9
-
SSDEEP
768:spCmKJILjsoq65corBjd/3oqab0k3RLKul1FXI4xyuReduloYQ:splco4aFoqaXpTXISR8YQ
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_77206419.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\GroupShow.raw => C:\Users\Admin\Pictures\GroupShow.raw.ragnar_77206419 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Users\Admin\Pictures\JoinFind.tiff 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File renamed C:\Users\Admin\Pictures\JoinFind.tiff => C:\Users\Admin\Pictures\JoinFind.tiff.ragnar_77206419 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File renamed C:\Users\Admin\Pictures\SetMove.raw => C:\Users\Admin\Pictures\SetMove.raw.ragnar_77206419 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-125.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\ui-strings.js 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-100.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_pl.json 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-400.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\close.svg 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-tiny.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-150.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-lightunplated.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\ui-strings.js 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-black.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-400.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-100.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Bold.ttf 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-white.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W1.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\4.rsrc 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\rename.svg 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-lightunplated.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\View3DConfig.json 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\SensorFusionLib.winmd 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-150.png 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\RGNR_77206419.txt 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1816 vssadmin.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2072 notepad.exe 3492 notepad.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 476 wmic.exe Token: SeSecurityPrivilege 476 wmic.exe Token: SeTakeOwnershipPrivilege 476 wmic.exe Token: SeLoadDriverPrivilege 476 wmic.exe Token: SeSystemProfilePrivilege 476 wmic.exe Token: SeSystemtimePrivilege 476 wmic.exe Token: SeProfSingleProcessPrivilege 476 wmic.exe Token: SeIncBasePriorityPrivilege 476 wmic.exe Token: SeCreatePagefilePrivilege 476 wmic.exe Token: SeBackupPrivilege 476 wmic.exe Token: SeRestorePrivilege 476 wmic.exe Token: SeShutdownPrivilege 476 wmic.exe Token: SeDebugPrivilege 476 wmic.exe Token: SeSystemEnvironmentPrivilege 476 wmic.exe Token: SeRemoteShutdownPrivilege 476 wmic.exe Token: SeUndockPrivilege 476 wmic.exe Token: SeManageVolumePrivilege 476 wmic.exe Token: 33 476 wmic.exe Token: 34 476 wmic.exe Token: 35 476 wmic.exe Token: 36 476 wmic.exe Token: SeBackupPrivilege 4444 vssvc.exe Token: SeRestorePrivilege 4444 vssvc.exe Token: SeAuditPrivilege 4444 vssvc.exe Token: SeIncreaseQuotaPrivilege 476 wmic.exe Token: SeSecurityPrivilege 476 wmic.exe Token: SeTakeOwnershipPrivilege 476 wmic.exe Token: SeLoadDriverPrivilege 476 wmic.exe Token: SeSystemProfilePrivilege 476 wmic.exe Token: SeSystemtimePrivilege 476 wmic.exe Token: SeProfSingleProcessPrivilege 476 wmic.exe Token: SeIncBasePriorityPrivilege 476 wmic.exe Token: SeCreatePagefilePrivilege 476 wmic.exe Token: SeBackupPrivilege 476 wmic.exe Token: SeRestorePrivilege 476 wmic.exe Token: SeShutdownPrivilege 476 wmic.exe Token: SeDebugPrivilege 476 wmic.exe Token: SeSystemEnvironmentPrivilege 476 wmic.exe Token: SeRemoteShutdownPrivilege 476 wmic.exe Token: SeUndockPrivilege 476 wmic.exe Token: SeManageVolumePrivilege 476 wmic.exe Token: 33 476 wmic.exe Token: 34 476 wmic.exe Token: 35 476 wmic.exe Token: 36 476 wmic.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3212 wrote to memory of 476 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 82 PID 3212 wrote to memory of 476 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 82 PID 3212 wrote to memory of 1816 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 84 PID 3212 wrote to memory of 1816 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 84 PID 3212 wrote to memory of 3492 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 100 PID 3212 wrote to memory of 3492 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 100 PID 3212 wrote to memory of 3492 3212 3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe"C:\Users\Admin\AppData\Local\Temp\3dddc43094e3b65f3da251b9abe774029c252456aa6d9614733da74859fa9215.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1816
-
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_77206419.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3492
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1416
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\InstallExport.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:2072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50880547340d1b849a7d4faaf04b6f905
SHA137fa5848977fd39df901be01c75b8f8320b46322
SHA25684449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25
SHA5129048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91