ragnarok | ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1

General

Target

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
Size

211KB
MD5

32ed52d918a138ddad24dd3a84e20e56
SHA1

11f455b32e8473353febc5995cef63497c5404a1
SHA256

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1
SHA512

13e49bb04813598ef5ab1e40a0a657091182bf8ec7b9d4a24bb6d162bfc01b232c910e6e85fdefc13dcded49438e5e6d996ca21a13ec2cd7a0d5f5a40c16a446

Score

10^/10

ransomware evasion persistence ragnarok

Malware Config

Extracted

Path

C:\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note

#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below ragnarok_master@protonmail.com ragnarok@rape.lol yawkyawkyawk@cock.li DEVICE ID: AwCLBxERBdVSLJELyM0M2IER5czMxEDM0U0QFNkQzETMBVTRwkDR4MkQDRTN5EUQ0Y0NDlTQ2QjRERUMEVjR0YDRxMkR5UjRGFzMzEjMFJTO3IzNwIkR1IDMyI0QwEUOCJTQ1UkNwYjMCRzQDNERzgDMyQjN4IkRDFTQEdDRBBTO5gDMGhDO2UERCZTQ1I0MwQ0MENzMDZkNGZ0NGNzN2YzQDVkQ5UkR0Q0NEFUM0EjMFVUN4ETQFVTRDJEMzEjNEhDRDRjRClTNFNUNycTN2MjQ0EERDJjNwADR4EURFF0N1UUNyEUMDVEOzgzQFlDMyQDN3U0NClDRFNkQ0E0N5QUOFNUOCVUMCRzQwEkMxEEOxADOGNUMwUDMGFDN0IDR0QUOGdzMFNzMwQTN3kzMFdTN0QkREdjQyETQ1QUQ3kTN2E0QDFDR3IER3AzNGJDNxQUNDRjM0E0NyYjM2UTMxEjR4E0N0gzN3UENzM0MwIDMzADRyIENzEUR5M0N4ATNGBjM4YUOENkQwQTQ2UjQwEjNBVTOFF0MxMkQGBzM3IjNyMzNxIkQ1UkR2I0Q5QjN2MURwEUN1MERGNkRBNDOElDMzMUOyQjNxY0MDNDR2YTMwIUQ3E0MBhjR3IUQDNkQykzNFVUNEZDO4IEM4Q0NDVTRFdzNEhDNzQUO2QTMERDOBdjM5EENzEUNGZDRFFEMEJDN4UkN2UTQ2EzQ4YDRBN0M5Q0Q5YUR3QTQGR0M3MTMChjMxUjNENjM2YENzQERBBDMDZkM1YkMzUDO2YERyMEO1ADM0ETRGRjM3IjMwMUQ1MDNxITQChTNERjN3EkNEVEMyEjMyYUOGNzNBJDRDFjR2MEMBZkR3EUR0UERFNEOzkDRFFzNCVjNEhTNzYEM4cTR0MDR0EUNwQTQDZER4UUQxQjQyQjR1IDM5EDM0MUMDZTO5UjN1YTRGF0QxcDOCZUN3AzQCF0QyU0M3QkR5QERzcjM2M0NzMjM0UUQDJUQEZzMBFEMBdzQFVjM1EDNFJDNyM0N2QUO0UjQ3IEO4QDNxITO0ITM1IDNFdTQDFUO2IERyUUMClzQ3UDN5UkQEVjQ5UTQxcjMEBTN3ATNDFERBZkNBFTQ2UERFFzNEZzNxYEMyIzNwIzM3U0M2MzMzgDOxcTODBzQEVTQ0gDOyYEOFdjQ5UkR4kTQBRjN2YUN3gTN5ITN3YzNyI0NFRUOGRTN0QTNxQkMGRERwIURGlTMFVUMGFzMwkDRwADMGRkQCdTOGN0NBdzNERDOGFDOFlDO3MEOBRDODVTQ1kzNzETMElzMBRzN3ETM3UTOClzNxEzNxYEN4EEMwITNxQkRxQTQ0QTO1UkN1IDOxcjQxUkQzYTM3cTQGJ0QzwSRFVDN1YkM4YjNzQDMzYDO4gzMDNEN5cTNyMkNzIjM1YTRyQDM4gjN3cjN1gDRBRTM4MTN5UUNwMjMChDO3YDRyMDMyUDN4QUREZENDJTM4MkM1gjQCVTQwYTRxgDOGVzNFNzMElDR2QUQ4YEO2UjRCdTQ3EkNyUzQ4MTNFBTO0QEN2UURzEDMDZTMBVUM1QzNxIkN2QURxYTNxEDOCNENyMEN3QkMyEEM4gzQ2gTO3YEOERzQxYDOyIURwIERzIUQzQEO2EkQyQ0NwYUO0IDR0kTQxMzN2UkNwITQyIkQCNTRDV0Q1ETM0ATQDFkQxgDR2UURzYDRFZjNwMjR0YDNzYkR2U0MwQTN3MTMwATMElTRzgDRFRDREZ0N3YzQBljRGFTMFhDR1gDM2kDMFBzMCJDRzETQ2ADRDJ0Q3U0Q3EkQ4M0N0IURBZ0MBFDR3ETRzAjRwI0Q4EzMEFDOxEjNyIzQGRjQDljQzETRBZDOxQERyIkMyEENEFEM2ETR5QUOyczMCF0N0UEMzIDM4AjMxUzQ3ETNFBjR4YkRxcjM5kDNFRDRxQjR2UUM5kzM3cDN1QjM4QjN4MUR1cDR4UEO5YERzM0MwEER1MzN1UjNxMTRFFDR5UTNDNzMBFkM3kjNEJDR2QUQxEjNEhjM3IzN3YkMzIEOGZkMBljRwMkM2gzNEFjNwkjNGdzN0QUOyQjRGVTOCVkN4QEN2QjQGNkREJDRENkQ4YEM5ADM1QkNxkTMEVjM0QDMBhTOFRDNElDMEJUM0YzMBFkN1YkRFBDODVkN3EDM5YTMEljR0EDMwY0QBRDMyEkNBRDMDNTNyUEOCFUMxI0NDlTN0MEMCZER5ADMyYUR0YTQFZUO1IDR1MjNDZ0QwUEOBhTQ0Q0QyIUMBFUN3MDM0M0MERkNEFUOCZUOBBTQ2UkQ2UEOFVDNxI0Q3UDRxUURwEjMGhDOEVER3kjMzkzQBVjR4QUR4kzMDVjM0UDNEFDRyQjNwE0Q1IUO0EDMzITOGRUM5gTQEdjR0YDNGZkR0IkRwIkRyEUNDNUR0YkQ3gjQFFUN1UjQyMkR0IzQwETNBhTRENDMxIUQ5ITO2I0MwEDNEhTN3gjMygTQ4QzQDRTM0MDOFBDO5MEN1EzM3M0Q2UDO4YjNCFjRDVkQ0EzMyMTQwMjRwAzN1M0MERjN2IUMChzMzIURzkjNEdzQwYER1E0QFRkR3EzQ3YzM2MjN3MjNGdDRwEkM2ITQzQDMCVURyATRFJjQ0ETOBhTQFdjNGNEOCZDO2QjR2gTQEZjQ4UjN1UUQDNDNEVjRyIzM2MjNFNTQCdTN5UER2gTOwgzMGJURzYERBZzMDVkQGNkNyYzNBRDO1gzN

Emails

ragnarok_master@protonmail.com

ragnarok@rape.lol

yawkyawkyawk@cock.li

Signatures

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

description	pid	process	target process
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	cmd.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1504 bcdedit.exe
1544 bcdedit.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

pid process

2024 ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1472 vssadmin.exe

pid	process
1504	bcdedit.exe
1544	bcdedit.exe

pid	process
2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

pid	process
1472	vssadmin.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

description	ioc	process
File created	C:\Users\Public\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Searches\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Libraries\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M8IM4P5W\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0DHL2DSS\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FT5Z4PS4\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RXSZRW3N\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 364 vssvc.exe
Token: SeRestorePrivilege 364 vssvc.exe
Token: SeAuditPrivilege 364 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	364	vssvc.exe
Token: SeRestorePrivilege	364	vssvc.exe
Token: SeAuditPrivilege	364	vssvc.exe

Modifies service 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exevssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe

Makes http(s) request 2 IoCs
Contacts server via http/https, possibly for C2 communication.

Processes:

description flow ioc

HTTP URL 1 http:///START_
HTTP URL 2 http:///BKIWADLA&pub_ip=&prv_ip=&.doc0007.txt0003.xls0003.ppt0003.sql0001.pdf0001
Ragnarok
Ransomware family deployed from Citrix servers infected via CVE-2019-19781.
ransomware ragnarok
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	1	http:///START_
HTTP URL	2	http:///BKIWADLA&pub_ip=&prv_ip=&.doc0007.txt0003.xls0003.ppt0003.sql0001.pdf0001

C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
"C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
PID:2024

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
PID:2032

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1472

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
PID:2040

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1504