Overview

overview

10

Static

static

birch_ragn...er.exe

windows7_x64

10

birch_ragn...er.exe

windows10_x64

10

Analysis

  • max time kernel
    78s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    01-08-2020 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    birch_ragnarlocker.exe

  • Size

    49KB

  • MD5

    3dabfb99101821ae0e89389a9c9d28a5

  • SHA1

    72b19c503a642770945355ea0dce96bf9d735f81

  • SHA256

    1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033

  • SHA512

    131487a835f81a774b43155364a683b054b342c5176fe19264a4f9a510c6571532b1cb081011a09f733dee836192240cd36b419979832a601001b14ccbc5ff18

Score
10/10
ransomwarepersistenceragnarlockerbootkit

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_AC7AABB2.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO Birch.com,Cbeyond ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED Although your security measures already been BREACHED and your files were LOCKED, we was able to make a PENETRATION of your network AGAIN! by RAGNAR_LOCKER ! ***************************************************************************************************************** Your systems are very far from perfectly secured, so even after the first penetration you didn't fix and close vulnerabilities and we again have access to your network, it would be a big amazement in the news that you allowed second leakage! !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We has downloaded a lot of your private Data, including your biling info, business licenses, credit info, finance reports, business audit, Banking information and many other interesting things! Also we have an personal correspondence and information about your clients and partners and even about your staff, there are some screenshots just as a proofs. https://prnt.sc/sfle2v http://prnt.sc/sflk1s http://prnt.sc/sflkc8 http://prnt.sc/sflkn2 Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can find post already published regarding LEAKS from your company and it would be updated about the SECOND LEAK in less than one MONTH ! Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). ?���| *********************************************************************************** ---RAGNAR SECRET--- NkMzQjkzRDA0ODA5NTNkMTMzMDJmMThERDRhNkMwQzRlNTljRGFlNkQ0Zjg4RWQ1Yzk4Y0U4ZkNEMEY5RDZjRQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

https://prnt.sc/sfle2v

http://prnt.sc/sflk1s

http://prnt.sc/sflkc8

http://prnt.sc/sflkn2

http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/

http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE

Signatures

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops file in Program Files directory 10153 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker

Processes

  • C:\Users\Admin\AppData\Local\Temp\birch_ragnarlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\birch_ragnarlocker.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in Program Files directory
    • Drops desktop.ini file(s)
    • Drops startup file
    • Modifies extensions of user files
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:828
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_AC7AABB2.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1588
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_AC7AABB2.txt
    Download Submit
  • memory/336-37-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-5-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-47-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-9-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-15-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-19-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-23-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-29-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-51-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-0-0x0000000002B40000-0x0000000002B51000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-1-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-2-0x0000000002B40000-0x0000000002B51000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-33-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-55-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-65-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-75-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-83-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-91-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/336-41-0x0000000002F50000-0x0000000002F61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/828-101-0x0000000000000000-mapping.dmp
    Download
  • memory/1020-100-0x0000000000000000-mapping.dmp
    Download
  • memory/1588-102-0x0000000000000000-mapping.dmp
    Download