Analysis
-
max time kernel
32s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 10:42
Behavioral task
behavioral1
Sample
04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe
Resource
win10v2004-20231215-en
General
-
Target
04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe
-
Size
27KB
-
MD5
682ce5d86e8181d1e0a18780a5b158df
-
SHA1
ee4b692b3beea8e0a4cd972ad4dba4595fdf4fb4
-
SHA256
9dbcee8b0f17203c0b122b582b37c72a518536878120f5b7878651da6da37c10
-
SHA512
5f21ed3b15cb6cde5dc137ac39b1400982aebdde9e3d8fe349b74fd9ba1f39a22d9bab166f0c606f290d86c3d578df8e086af567ec1bf79edd4bf59bfd9c9294
-
SSDEEP
384:dsRKN4ZYmcv/rELdMF2CC5hAkjz0pFOvcZsIw6THPOt5l3AyJuB1uTSqv:duZYpYMQCC/xcOvcKDGu5Je1YSq
Malware Config
Extracted
C:\Users\Public\Documents\!$R4GN4R_66A976E8$!.txt
ragnarlocker
http://prntscr.com/to31n0
https://prnt.sc/to2kqq
https://prnt.sc/to2lbp
https://prnt.sc/tnzooz
https://prnt.sc/tnzqxf
https://prnt.sc/to2qlx
http://prnt.sc/to2rab
http://p6o7m73ujalhgkiv.onion/?BatxqaHm8rKxIP16Z1xB
http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
pid Process 2584 bcdedit.exe 1648 bcdedit.exe 1728 bcdedit.exe -
Renames multiple (105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/memory/2988-0-0x0000000000C30000-0x0000000000C45000-memory.dmp upx behavioral1/memory/2988-4-0x0000000000C30000-0x0000000000C45000-memory.dmp upx behavioral1/memory/2988-6-0x0000000000C30000-0x0000000000C45000-memory.dmp upx behavioral1/memory/2988-7195-0x0000000000C30000-0x0000000000C45000-memory.dmp upx behavioral1/memory/2988-14657-0x0000000000C30000-0x0000000000C45000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened (read-only) \??\F: 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Services\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\readme.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\!$R4GN4R_66A976E8$!.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2816 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe Token: SeRestorePrivilege 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe Token: SeBackupPrivilege 2636 vssvc.exe Token: SeRestorePrivilege 2636 vssvc.exe Token: SeAuditPrivilege 2636 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3004 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 34 PID 2988 wrote to memory of 3004 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 34 PID 2988 wrote to memory of 3004 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 34 PID 2988 wrote to memory of 3004 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 34 PID 2988 wrote to memory of 2816 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 32 PID 2988 wrote to memory of 2816 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 32 PID 2988 wrote to memory of 2816 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 32 PID 2988 wrote to memory of 2816 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 32 PID 2988 wrote to memory of 1728 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 40 PID 2988 wrote to memory of 1728 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 40 PID 2988 wrote to memory of 1728 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 40 PID 2988 wrote to memory of 1728 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 40 PID 2988 wrote to memory of 1648 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 39 PID 2988 wrote to memory of 1648 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 39 PID 2988 wrote to memory of 1648 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 39 PID 2988 wrote to memory of 1648 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 39 PID 2988 wrote to memory of 2584 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 37 PID 2988 wrote to memory of 2584 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 37 PID 2988 wrote to memory of 2584 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 37 PID 2988 wrote to memory of 2584 2988 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe"C:\Users\Admin\AppData\Local\Temp\04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2816
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
PID:2584
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:1648
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:1728
-
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\!$R4GN4R_66A976E8$!.txt2⤵PID:2540
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f404b04194e67dec4e42b2027b2484da
SHA185d07ad4115c52d7a87f886ce51437a7612c7db6
SHA256046ee39ba91ca3d6f636258184e08d4e0a86ba4a41f7e80169680037d46a471e
SHA51277eff6a6df04fb16c8be4e10897b40df20e9cc1a0e3b93c51ee187eb11f09f9a448bdd667c6025b4ad674b206be96eb6ebcda901e05840b58d16d97b5705bb2f