ragnarok | ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1

Analysis

max time kernel
107s
max time network
111s
platform
windows7_x64
resource
win7v200410
submitted
27/04/2020, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
Size

211KB
MD5

32ed52d918a138ddad24dd3a84e20e56
SHA1

11f455b32e8473353febc5995cef63497c5404a1
SHA256

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1
SHA512

13e49bb04813598ef5ab1e40a0a657091182bf8ec7b9d4a24bb6d162bfc01b232c910e6e85fdefc13dcded49438e5e6d996ca21a13ec2cd7a0d5f5a40c16a446

Score

10^/10

ransomware evasion persistence ragnarok

Malware Config

Extracted

Path

C:\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note

#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLBxERBdVSLJELyM0M2IER5czMxEDM0U0QFNkQzETMBVTRwkDR4MkQDRTN5EUQ0Y0NDlTQ2QjRERUMEVjR0YDRxMkR5UjRGFzMzEjMFJTO3IzNwIkR1IDMyI0QwEUOCJTQ1UkNwYjMCRzQDNERzgDMyQjN4IkRDFTQEdDRBBTO5gDMGhDO2UERCZTQ1I0MwQ0MENzMDZkNGZ0NGNzN2YzQDVkQ5UkR0Q0NEFUM0EjMFVUN4ETQFVTRDJEMzEjNEhDRDRjRClTNFNUNycTN2MjQ0EERDJjNwADR4EURFF0N1UUNyEUMDVEOzgzQFlDMyQDN3U0NClDRFNkQ0E0N5QUOFNUOCVUMCRzQwEkMxEEOxADOGNUMwUDMGFDN0IDR0QUOGdzMFNzMwQTN3kzMFdTN0QkREdjQyETQ1QUQ3kTN2E0QDFDR3IER3AzNGJDNxQUNDRjM0E0NyYjM2UTMxEjR4E0N0gzN3UENzM0MwIDMzADRyIENzEUR5M0N4ATNGBjM4YUOENkQwQTQ2UjQwEjNBVTOFF0MxMkQGBzM3IjNyMzNxIkQ1UkR2I0Q5QjN2MURwEUN1MERGNkRBNDOElDMzMUOyQjNxY0MDNDR2YTMwIUQ3E0MBhjR3IUQDNkQykzNFVUNEZDO4IEM4Q0NDVTRFdzNEhDNzQUO2QTMERDOBdjM5EENzEUNGZDRFFEMEJDN4UkN2UTQ2EzQ4YDRBN0M5Q0Q5YUR3QTQGR0M3MTMChjMxUjNENjM2YENzQERBBDMDZkM1YkMzUDO2YERyMEO1ADM0ETRGRjM3IjMwMUQ1MDNxITQChTNERjN3EkNEVEMyEjMyYUOGNzNBJDRDFjR2MEMBZkR3EUR0UERFNEOzkDRFFzNCVjNEhTNzYEM4cTR0MDR0EUNwQTQDZER4UUQxQjQyQjR1IDM5EDM0MUMDZTO5UjN1YTRGF0QxcDOCZUN3AzQCF0QyU0M3QkR5QERzcjM2M0NzMjM0UUQDJUQEZzMBFEMBdzQFVjM1EDNFJDNyM0N2QUO0UjQ3IEO4QDNxITO0ITM1IDNFdTQDFUO2IERyUUMClzQ3UDN5UkQEVjQ5UTQxcjMEBTN3ATNDFERBZkNBFTQ2UERFFzNEZzNxYEMyIzNwIzM3U0M2MzMzgDOxcTODBzQEVTQ0gDOyYEOFdjQ5UkR4kTQBRjN2YUN3gTN5ITN3YzNyI0NFRUOGRTN0QTNxQkMGRERwIURGlTMFVUMGFzMwkDRwADMGRkQCdTOGN0NBdzNERDOGFDOFlDO3MEOBRDODVTQ1kzNzETMElzMBRzN3ETM3UTOClzNxEzNxYEN4EEMwITNxQkRxQTQ0QTO1UkN1IDOxcjQxUkQzYTM3cTQGJ0QzwSRFVDN1YkM4YjNzQDMzYDO4gzMDNEN5cTNyMkNzIjM1YTRyQDM4gjN3cjN1gDRBRTM4MTN5UUNwMjMChDO3YDRyMDMyUDN4QUREZENDJTM4MkM1gjQCVTQwYTRxgDOGVzNFNzMElDR2QUQ4YEO2UjRCdTQ3EkNyUzQ4MTNFBTO0QEN2UURzEDMDZTMBVUM1QzNxIkN2QURxYTNxEDOCNENyMEN3QkMyEEM4gzQ2gTO3YEOERzQxYDOyIURwIERzIUQzQEO2EkQyQ0NwYUO0IDR0kTQxMzN2UkNwITQyIkQCNTRDV0Q1ETM0ATQDFkQxgDR2UURzYDRFZjNwMjR0YDNzYkR2U0MwQTN3MTMwATMElTRzgDRFRDREZ0N3YzQBljRGFTMFhDR1gDM2kDMFBzMCJDRzETQ2ADRDJ0Q3U0Q3EkQ4M0N0IURBZ0MBFDR3ETRzAjRwI0Q4EzMEFDOxEjNyIzQGRjQDljQzETRBZDOxQERyIkMyEENEFEM2ETR5QUOyczMCF0N0UEMzIDM4AjMxUzQ3ETNFBjR4YkRxcjM5kDNFRDRxQjR2UUM5kzM3cDN1QjM4QjN4MUR1cDR4UEO5YERzM0MwEER1MzN1UjNxMTRFFDR5UTNDNzMBFkM3kjNEJDR2QUQxEjNEhjM3IzN3YkMzIEOGZkMBljRwMkM2gzNEFjNwkjNGdzN0QUOyQjRGVTOCVkN4QEN2QjQGNkREJDRENkQ4YEM5ADM1QkNxkTMEVjM0QDMBhTOFRDNElDMEJUM0YzMBFkN1YkRFBDODVkN3EDM5YTMEljR0EDMwY0QBRDMyEkNBRDMDNTNyUEOCFUMxI0NDlTN0MEMCZER5ADMyYUR0YTQFZUO1IDR1MjNDZ0QwUEOBhTQ0Q0QyIUMBFUN3MDM0M0MERkNEFUOCZUOBBTQ2UkQ2UEOFVDNxI0Q3UDRxUURwEjMGhDOEVER3kjMzkzQBVjR4QUR4kzMDVjM0UDNEFDRyQjNwE0Q1IUO0EDMzITOGRUM5gTQEdjR0YDNGZkR0IkRwIkRyEUNDNUR0YkQ3gjQFFUN1UjQyMkR0IzQwETNBhTRENDMxIUQ5ITO2I0MwEDNEhTN3gjMygTQ4QzQDRTM0MDOFBDO5MEN1EzM3M0Q2UDO4YjNCFjRDVkQ0EzMyMTQwMjRwAzN1M0MERjN2IUMChzMzIURzkjNEdzQwYER1E0QFRkR3EzQ3YzM2MjN3MjNGdDRwEkM2ITQzQDMCVURyATRFJjQ0ETOBhTQFdjNGNEOCZDO2QjR2gTQEZjQ4UjN1UUQDNDNEVjRyIzM2MjNFNTQCdTN5UER2gTOwgzMGJURzYERBZzMDVkQGNkNyYzNBRDO1gzN

Emails

[email protected]

Signatures

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	25
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	25
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	25
PID 2024 wrote to memory of 2032	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	25
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	26
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	26
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	26
PID 2024 wrote to memory of 2040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	26
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	28
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	28
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	28
PID 2024 wrote to memory of 1040	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	28
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	30
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	30
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	30
PID 2024 wrote to memory of 1068	2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	30

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1504	bcdedit.exe
1544	bcdedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2024	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1472	vssadmin.exe

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File created	C:\Users\Public\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Searches\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Libraries\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M8IM4P5W\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0DHL2DSS\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FT5Z4PS4\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RXSZRW3N\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	364	vssvc.exe
Token: SeRestorePrivilege	364	vssvc.exe
Token: SeAuditPrivilege	364	vssvc.exe

Modifies service 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe

Makes http(s) request 2 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	1	http:///START_
HTTP URL	2	http:///BKIWADLA&pub_ip=&prv_ip=&.doc0007.txt0003.xls0003.ppt0003.sql0001.pdf0001

Ragnarok
Ransomware family deployed from Citrix servers infected via CVE-2019-19781.
ransomware ragnarok
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
"C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe /c vssadmin delete shadows /all /quiet
  2⤵
  PID:2032
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2040
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd.exe /c bcdedit /set {current} recoveryenabled no
  2⤵
  PID:1040
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  PID:1068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies service
    PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads