Overview

overview

10

Static

static

birch_ragn...er.exe

windows7_x64

10

birch_ragn...er.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    01-08-2020 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    birch_ragnarlocker.exe

  • Size

    49KB

  • MD5

    3dabfb99101821ae0e89389a9c9d28a5

  • SHA1

    72b19c503a642770945355ea0dce96bf9d735f81

  • SHA256

    1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033

  • SHA512

    131487a835f81a774b43155364a683b054b342c5176fe19264a4f9a510c6571532b1cb081011a09f733dee836192240cd36b419979832a601001b14ccbc5ff18

Score
10/10
ransomwarebootkitpersistenceragnarlocker

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_2D08E9B5.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO Birch.com,Cbeyond ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED Although your security measures already been BREACHED and your files were LOCKED, we was able to make a PENETRATION of your network AGAIN! by RAGNAR_LOCKER ! ***************************************************************************************************************** Your systems are very far from perfectly secured, so even after the first penetration you didn't fix and close vulnerabilities and we again have access to your network, it would be a big amazement in the news that you allowed second leakage! !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We has downloaded a lot of your private Data, including your biling info, business licenses, credit info, finance reports, business audit, Banking information and many other interesting things! Also we have an personal correspondence and information about your clients and partners and even about your staff, there are some screenshots just as a proofs. https://prnt.sc/sfle2v http://prnt.sc/sflk1s http://prnt.sc/sflkc8 http://prnt.sc/sflkn2 Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can find post already published regarding LEAKS from your company and it would be updated about the SECOND LEAK in less than one MONTH ! Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). ?���| *********************************************************************************** ---RAGNAR SECRET--- NkMzQjkzRDA0ODA5NTNkMTMzMDJmMThERDRhNkMwQzRlNTljRGFlNkQ0Zjg4RWQ1Yzk4Y0U4ZkNEMEY5RDZjRQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

https://prnt.sc/sfle2v

http://prnt.sc/sflk1s

http://prnt.sc/sflkc8

http://prnt.sc/sflkn2

http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/

http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE

Signatures

  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 19485 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops desktop.ini file(s) 1 IoCs
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 100 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\birch_ragnarlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\birch_ragnarlocker.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • Writes to the Master Boot Record (MBR)
    • Drops desktop.ini file(s)
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    PID:3060
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1164
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_2D08E9B5.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2604
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_2D08E9B5.txt
    Download Submit
  • memory/1156-100-0x0000000000000000-mapping.dmp
    Download
  • memory/1164-101-0x0000000000000000-mapping.dmp
    Download
  • memory/2604-102-0x0000000000000000-mapping.dmp
    Download
  • memory/3060-27-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-41-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-9-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-13-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-17-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-21-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-23-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-26-0x0000000003030000-0x0000000003031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-0-0x0000000003030000-0x0000000003031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-29-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-35-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-7-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-47-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-57-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-59-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-63-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-69-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-81-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-83-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-4-0x0000000003030000-0x0000000003031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-3-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-2-0x0000000003030000-0x0000000003031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-1-0x0000000003830000-0x0000000003831000-memory.dmp
    Filesize

    4KB

    Download