Analysis
-
max time kernel
141s -
max time network
21s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
03-06-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
true.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
true.bin.exe
Resource
win10v200430
General
-
Target
true.bin.exe
-
Size
47KB
-
MD5
3ca359f5085bb96a7950d4735b089ffe
-
SHA1
60747604d54a18c4e4dc1a2c209e77a793e64dde
-
SHA256
7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
-
SHA512
67ac9a483062f42b984f8d2798a02461f27a718f5b93b6f84645170b65e8edbbfddae52c8bee4fd6735fea0e977d8615d1d5c49481e4fbf1480e5e2113af0426
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_CB6AAE3E.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
true.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\RemoveInvoke.tif => C:\Users\Admin\Pictures\RemoveInvoke.tif.ragnar_CB6AAE3E true.bin.exe File renamed C:\Users\Admin\Pictures\RestoreClose.png => C:\Users\Admin\Pictures\RestoreClose.png.ragnar_CB6AAE3E true.bin.exe File opened for modification C:\Users\Admin\Pictures\SuspendRead.tiff true.bin.exe File renamed C:\Users\Admin\Pictures\SuspendRead.tiff => C:\Users\Admin\Pictures\SuspendRead.tiff.ragnar_CB6AAE3E true.bin.exe File renamed C:\Users\Admin\Pictures\ConfirmImport.png => C:\Users\Admin\Pictures\ConfirmImport.png.ragnar_CB6AAE3E true.bin.exe File renamed C:\Users\Admin\Pictures\ConvertFromRegister.tif => C:\Users\Admin\Pictures\ConvertFromRegister.tif.ragnar_CB6AAE3E true.bin.exe File renamed C:\Users\Admin\Pictures\LimitOptimize.raw => C:\Users\Admin\Pictures\LimitOptimize.raw.ragnar_CB6AAE3E true.bin.exe File renamed C:\Users\Admin\Pictures\PushConfirm.tif => C:\Users\Admin\Pictures\PushConfirm.tif.ragnar_CB6AAE3E true.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1456 vssadmin.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
true.bin.exedescription pid process target process PID 1520 wrote to memory of 1860 1520 true.bin.exe wmic.exe PID 1520 wrote to memory of 1860 1520 true.bin.exe wmic.exe PID 1520 wrote to memory of 1860 1520 true.bin.exe wmic.exe PID 1520 wrote to memory of 1860 1520 true.bin.exe wmic.exe PID 1520 wrote to memory of 1456 1520 true.bin.exe vssadmin.exe PID 1520 wrote to memory of 1456 1520 true.bin.exe vssadmin.exe PID 1520 wrote to memory of 1456 1520 true.bin.exe vssadmin.exe PID 1520 wrote to memory of 1456 1520 true.bin.exe vssadmin.exe PID 1520 wrote to memory of 1648 1520 true.bin.exe notepad.exe PID 1520 wrote to memory of 1648 1520 true.bin.exe notepad.exe PID 1520 wrote to memory of 1648 1520 true.bin.exe notepad.exe PID 1520 wrote to memory of 1648 1520 true.bin.exe notepad.exe -
Drops file in Program Files directory 10156 IoCs
Processes:
true.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\AdjacencyResume.dotx true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css true.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN01084_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Clarity.thmx true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF true.bin.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RGNR_CB6AAE3E.txt true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png true.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png true.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy true.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\RGNR_CB6AAE3E.txt true.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RGNR_CB6AAE3E.txt true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\FLYER.DPV true.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\CONVERT\OLMAIL.FAE true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml true.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar true.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RPLBRF35.CHM true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png true.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02435_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00255_.WMF true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png true.bin.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\RGNR_CB6AAE3E.txt true.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html true.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\MENU.DPV true.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG true.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF true.bin.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ENGIDX.DAT true.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\RGNR_CB6AAE3E.txt true.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE true.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV true.bin.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\RGNR_CB6AAE3E.txt true.bin.exe -
Drops startup file 1 IoCs
Processes:
true.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_CB6AAE3E.txt true.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1648 notepad.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
true.bin.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 true.bin.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
true.bin.exepid process 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe 1520 true.bin.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe Token: SeBackupPrivilege 1600 vssvc.exe Token: SeRestorePrivilege 1600 vssvc.exe Token: SeAuditPrivilege 1600 vssvc.exe Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
Processes
-
C:\Users\Admin\AppData\Local\Temp\true.bin.exe"C:\Users\Admin\AppData\Local\Temp\true.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops startup file
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_CB6AAE3E.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_CB6AAE3E.txt
-
memory/1520-41-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-1-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-37-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-5-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-7-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-9-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-13-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-17-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-21-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-25-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-29-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-33-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-3-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-2-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB
-
memory/1520-75-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-47-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-49-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-51-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-55-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-59-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-67-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-43-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-83-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-89-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-91-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-99-0x0000000002970000-0x0000000002981000-memory.dmpFilesize
68KB
-
memory/1520-0-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB