Overview

overview

10

Static

static

CWT_compan...er.exe

windows7_x64

10

CWT_compan...er.exe

windows10_x64

10

Analysis

  • max time kernel
    50s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-07-2020 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CWT_company_ragnar_locker.exe

  • Size

    54KB

  • MD5

    574f3513f6d7e15f102e82e4d35bf164

  • SHA1

    f7a38385fe41bcd154fc7b6da034bfe719d6a0a7

  • SHA256

    04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87

  • SHA512

    a6ffed4af6cbbeb0bd95ce4ea801d25669540d71ddf4d41aaf2fbf51b0820802fee90bca5981cb498ed0945c1149acf820990e57f6deb845380d343d2a6e9350

Score
10/10
ransomwareevasionpersistenceragnarlockerbootkit

Malware Config

Extracted

Path

C:\Users\Public\Documents\!$R4GN4R_F0C1BF83$!.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO CWT_company ! IF YOU ARE READING THIS, IT'S MEAN YOUR DATA WAS ENCRYPTED AND YOU SENSITIVE PRIVATE INFORMATION WAS STOLEN! READ CAREFULLY THE WHOLE INSTRUCTION NOTES TO AVOID DIFFICULTIES WITH YOUR DATA by RAGNAR_LOCKER ! ***************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for the special DECRYPTION KEY ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof that it Works. Don't waste your TIME, the link for contact us will be deleted if there is no contact made in closest time and you will NEVER restore your DATA. !!! HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED more than 2 TB of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients such as AXA Equitable, Abbot Laboratories, AIG, Amazon, Boston Scientific, Facebook, J & J, SONOCO, Estee Lauder and many others. We got even more info about your partners and even about your staff, there are some screenshots just as a proofs of what we got on you. Screenshots: http://prntscr.com/to31n0 (from here was downloaded almost every file) https://prnt.sc/to2kqq https://prnt.sc/to2lbp https://prnt.sc/tnzooz your trial balances in USD https://prnt.sc/tnzqxf https://prnt.sc/to2qlx http://prnt.sc/to2rab ------------------------------------- Whole data that gathered from your private files and directories could be published in MASS MEDIA for BREAKING NEWS! Yours partners, clients and investors would be notified about LEAK. However if we make a deal everything would be kept in secret and all your data will be restored. You can take a look for some more examples of what we have, right now it's a private hidden page, but it could become accessable for Public View if you decide NOT pay. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/?BatxqaHm8rKxIP16Z1xB to view the page's content use password: GME5sYUN0A ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?BatxqaHm8rKxIP16Z1xB ( password: GME5sYUN0A ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN KEY R_R--- YkMyYUFENzFFMjk3NmRhNTNGQzFFZmMzMTkzYzhGRGVBMEJBZUY4QTM3ODgzYzllMDVkM0JGRjgyQ0NmRThFZQ== ---END KEY R_R--- ***********************************************************************************
URLs

http://prntscr.com/to31n0

https://prnt.sc/to2kqq

https://prnt.sc/to2lbp

https://prnt.sc/tnzooz

https://prnt.sc/tnzqxf

https://prnt.sc/to2qlx

http://prnt.sc/to2rab

http://p6o7m73ujalhgkiv.onion/?BatxqaHm8rKxIP16Z1xB

http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee

Signatures

  • Drops file in Program Files directory 2455 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 65 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
    ransomwareevasion
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Drops desktop.ini file(s) 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CWT_company_ragnar_locker.exe
    "C:\Users\Admin\AppData\Local\Temp\CWT_company_ragnar_locker.exe"
    1⤵
    • Drops file in Program Files directory
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Drops desktop.ini file(s)
    PID:240
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2028
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1068
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1500
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {globalsettings} advancedoptions false
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1796
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/240-115-0x0000000003740000-0x0000000003751000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-7-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-2-0x0000000002F20000-0x0000000002F31000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-130-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-11-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-15-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-19-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-23-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-25-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-29-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-128-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-37-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-126-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-47-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-51-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-57-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-65-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-75-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-85-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-93-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-33-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-1-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-43-0x0000000003330000-0x0000000003341000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-125-0x0000000003740000-0x0000000003751000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-124-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-107-0x00000000042C0000-0x00000000042D1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-108-0x00000000046D0000-0x00000000046E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-109-0x0000000004690000-0x00000000046A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-110-0x0000000006870000-0x0000000006881000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-111-0x0000000006870000-0x0000000006881000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-112-0x00000000083D0000-0x00000000083E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-113-0x0000000004690000-0x00000000046A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-114-0x0000000005B30000-0x0000000005B41000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-0-0x0000000002F20000-0x0000000002F31000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-116-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-117-0x0000000003740000-0x0000000003751000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-118-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-120-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/240-122-0x0000000003B50000-0x0000000003B61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1016-102-0x0000000000000000-mapping.dmp
    Download
  • memory/1068-104-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-105-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-106-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-103-0x0000000000000000-mapping.dmp
    Download