Overview

overview

10

Static

static

ee7221f0d7...e1.exe

windows7_x64

10

ee7221f0d7...e1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

  • Size

    211KB

  • Sample

    200427-p72xe61yr6

  • MD5

    32ed52d918a138ddad24dd3a84e20e56

  • SHA1

    11f455b32e8473353febc5995cef63497c5404a1

  • SHA256

    ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1

  • SHA512

    13e49bb04813598ef5ab1e40a0a657091182bf8ec7b9d4a24bb6d162bfc01b232c910e6e85fdefc13dcded49438e5e6d996ca21a13ec2cd7a0d5f5a40c16a446

Score
10/10
ragnarokevasionpersistenceransomware

Malware Config

Extracted

Path

C:\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note
#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLBxERBdVSLJELyM0M2IER5czMxEDM0U0QFNkQzETMBVTRwkDR4MkQDRTN5EUQ0Y0NDlTQ2QjRERUMEVjR0YDRxMkR5UjRGFzMzEjMFJTO3IzNwIkR1IDMyI0QwEUOCJTQ1UkNwYjMCRzQDNERzgDMyQjN4IkRDFTQEdDRBBTO5gDMGhDO2UERCZTQ1I0MwQ0MENzMDZkNGZ0NGNzN2YzQDVkQ5UkR0Q0NEFUM0EjMFVUN4ETQFVTRDJEMzEjNEhDRDRjRClTNFNUNycTN2MjQ0EERDJjNwADR4EURFF0N1UUNyEUMDVEOzgzQFlDMyQDN3U0NClDRFNkQ0E0N5QUOFNUOCVUMCRzQwEkMxEEOxADOGNUMwUDMGFDN0IDR0QUOGdzMFNzMwQTN3kzMFdTN0QkREdjQyETQ1QUQ3kTN2E0QDFDR3IER3AzNGJDNxQUNDRjM0E0NyYjM2UTMxEjR4E0N0gzN3UENzM0MwIDMzADRyIENzEUR5M0N4ATNGBjM4YUOENkQwQTQ2UjQwEjNBVTOFF0MxMkQGBzM3IjNyMzNxIkQ1UkR2I0Q5QjN2MURwEUN1MERGNkRBNDOElDMzMUOyQjNxY0MDNDR2YTMwIUQ3E0MBhjR3IUQDNkQykzNFVUNEZDO4IEM4Q0NDVTRFdzNEhDNzQUO2QTMERDOBdjM5EENzEUNGZDRFFEMEJDN4UkN2UTQ2EzQ4YDRBN0M5Q0Q5YUR3QTQGR0M3MTMChjMxUjNENjM2YENzQERBBDMDZkM1YkMzUDO2YERyMEO1ADM0ETRGRjM3IjMwMUQ1MDNxITQChTNERjN3EkNEVEMyEjMyYUOGNzNBJDRDFjR2MEMBZkR3EUR0UERFNEOzkDRFFzNCVjNEhTNzYEM4cTR0MDR0EUNwQTQDZER4UUQxQjQyQjR1IDM5EDM0MUMDZTO5UjN1YTRGF0QxcDOCZUN3AzQCF0QyU0M3QkR5QERzcjM2M0NzMjM0UUQDJUQEZzMBFEMBdzQFVjM1EDNFJDNyM0N2QUO0UjQ3IEO4QDNxITO0ITM1IDNFdTQDFUO2IERyUUMClzQ3UDN5UkQEVjQ5UTQxcjMEBTN3ATNDFERBZkNBFTQ2UERFFzNEZzNxYEMyIzNwIzM3U0M2MzMzgDOxcTODBzQEVTQ0gDOyYEOFdjQ5UkR4kTQBRjN2YUN3gTN5ITN3YzNyI0NFRUOGRTN0QTNxQkMGRERwIURGlTMFVUMGFzMwkDRwADMGRkQCdTOGN0NBdzNERDOGFDOFlDO3MEOBRDODVTQ1kzNzETMElzMBRzN3ETM3UTOClzNxEzNxYEN4EEMwITNxQkRxQTQ0QTO1UkN1IDOxcjQxUkQzYTM3cTQGJ0QzwSRFVDN1YkM4YjNzQDMzYDO4gzMDNEN5cTNyMkNzIjM1YTRyQDM4gjN3cjN1gDRBRTM4MTN5UUNwMjMChDO3YDRyMDMyUDN4QUREZENDJTM4MkM1gjQCVTQwYTRxgDOGVzNFNzMElDR2QUQ4YEO2UjRCdTQ3EkNyUzQ4MTNFBTO0QEN2UURzEDMDZTMBVUM1QzNxIkN2QURxYTNxEDOCNENyMEN3QkMyEEM4gzQ2gTO3YEOERzQxYDOyIURwIERzIUQzQEO2EkQyQ0NwYUO0IDR0kTQxMzN2UkNwITQyIkQCNTRDV0Q1ETM0ATQDFkQxgDR2UURzYDRFZjNwMjR0YDNzYkR2U0MwQTN3MTMwATMElTRzgDRFRDREZ0N3YzQBljRGFTMFhDR1gDM2kDMFBzMCJDRzETQ2ADRDJ0Q3U0Q3EkQ4M0N0IURBZ0MBFDR3ETRzAjRwI0Q4EzMEFDOxEjNyIzQGRjQDljQzETRBZDOxQERyIkMyEENEFEM2ETR5QUOyczMCF0N0UEMzIDM4AjMxUzQ3ETNFBjR4YkRxcjM5kDNFRDRxQjR2UUM5kzM3cDN1QjM4QjN4MUR1cDR4UEO5YERzM0MwEER1MzN1UjNxMTRFFDR5UTNDNzMBFkM3kjNEJDR2QUQxEjNEhjM3IzN3YkMzIEOGZkMBljRwMkM2gzNEFjNwkjNGdzN0QUOyQjRGVTOCVkN4QEN2QjQGNkREJDRENkQ4YEM5ADM1QkNxkTMEVjM0QDMBhTOFRDNElDMEJUM0YzMBFkN1YkRFBDODVkN3EDM5YTMEljR0EDMwY0QBRDMyEkNBRDMDNTNyUEOCFUMxI0NDlTN0MEMCZER5ADMyYUR0YTQFZUO1IDR1MjNDZ0QwUEOBhTQ0Q0QyIUMBFUN3MDM0M0MERkNEFUOCZUOBBTQ2UkQ2UEOFVDNxI0Q3UDRxUURwEjMGhDOEVER3kjMzkzQBVjR4QUR4kzMDVjM0UDNEFDRyQjNwE0Q1IUO0EDMzITOGRUM5gTQEdjR0YDNGZkR0IkRwIkRyEUNDNUR0YkQ3gjQFFUN1UjQyMkR0IzQwETNBhTRENDMxIUQ5ITO2I0MwEDNEhTN3gjMygTQ4QzQDRTM0MDOFBDO5MEN1EzM3M0Q2UDO4YjNCFjRDVkQ0EzMyMTQwMjRwAzN1M0MERjN2IUMChzMzIURzkjNEdzQwYER1E0QFRkR3EzQ3YzM2MjN3MjNGdDRwEkM2ITQzQDMCVURyATRFJjQ0ETOBhTQFdjNGNEOCZDO2QjR2gTQEZjQ4UjN1UUQDNDNEVjRyIzM2MjNFNTQCdTN5UER2gTOwgzMGJURzYERBZzMDVkQGNkNyYzNBRDO1gzN

Extracted

Path

C:\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note
#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\296333\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note
#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N

Targets

    • Target

      ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

    • Size

      211KB

    • MD5

      32ed52d918a138ddad24dd3a84e20e56

    • SHA1

      11f455b32e8473353febc5995cef63497c5404a1

    • SHA256

      ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1

    • SHA512

      13e49bb04813598ef5ab1e40a0a657091182bf8ec7b9d4a24bb6d162bfc01b232c910e6e85fdefc13dcded49438e5e6d996ca21a13ec2cd7a0d5f5a40c16a446

    Score
    10/10
    ransomwareevasionpersistenceragnarok

    • Ragnarok

      Ransomware family deployed from Citrix servers infected via CVE-2019-19781.

      ransomwareragnarok

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Drops desktop.ini file(s)

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks