Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
01-08-2020 02:09
Static task
static1
Behavioral task
behavioral1
Sample
edp_ragnarlocker.exe
Resource
win7
Behavioral task
behavioral2
Sample
edp_ragnarlocker.exe
Resource
win10
General
-
Target
edp_ragnarlocker.exe
-
Size
47KB
-
MD5
3ca359f5085bb96a7950d4735b089ffe
-
SHA1
60747604d54a18c4e4dc1a2c209e77a793e64dde
-
SHA256
7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
-
SHA512
67ac9a483062f42b984f8d2798a02461f27a718f5b93b6f84645170b65e8edbbfddae52c8bee4fd6735fea0e977d8615d1d5c49481e4fbf1480e5e2113af0426
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_F0C1BF83.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
edp_ragnarlocker.exepid process 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe 1668 edp_ragnarlocker.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1188 wmic.exe Token: SeSecurityPrivilege 1188 wmic.exe Token: SeTakeOwnershipPrivilege 1188 wmic.exe Token: SeLoadDriverPrivilege 1188 wmic.exe Token: SeSystemProfilePrivilege 1188 wmic.exe Token: SeSystemtimePrivilege 1188 wmic.exe Token: SeProfSingleProcessPrivilege 1188 wmic.exe Token: SeIncBasePriorityPrivilege 1188 wmic.exe Token: SeCreatePagefilePrivilege 1188 wmic.exe Token: SeBackupPrivilege 1188 wmic.exe Token: SeRestorePrivilege 1188 wmic.exe Token: SeShutdownPrivilege 1188 wmic.exe Token: SeDebugPrivilege 1188 wmic.exe Token: SeSystemEnvironmentPrivilege 1188 wmic.exe Token: SeRemoteShutdownPrivilege 1188 wmic.exe Token: SeUndockPrivilege 1188 wmic.exe Token: SeManageVolumePrivilege 1188 wmic.exe Token: 33 1188 wmic.exe Token: 34 1188 wmic.exe Token: 35 1188 wmic.exe Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe Token: SeIncreaseQuotaPrivilege 1188 wmic.exe Token: SeSecurityPrivilege 1188 wmic.exe Token: SeTakeOwnershipPrivilege 1188 wmic.exe Token: SeLoadDriverPrivilege 1188 wmic.exe Token: SeSystemProfilePrivilege 1188 wmic.exe Token: SeSystemtimePrivilege 1188 wmic.exe Token: SeProfSingleProcessPrivilege 1188 wmic.exe Token: SeIncBasePriorityPrivilege 1188 wmic.exe Token: SeCreatePagefilePrivilege 1188 wmic.exe Token: SeBackupPrivilege 1188 wmic.exe Token: SeRestorePrivilege 1188 wmic.exe Token: SeShutdownPrivilege 1188 wmic.exe Token: SeDebugPrivilege 1188 wmic.exe Token: SeSystemEnvironmentPrivilege 1188 wmic.exe Token: SeRemoteShutdownPrivilege 1188 wmic.exe Token: SeUndockPrivilege 1188 wmic.exe Token: SeManageVolumePrivilege 1188 wmic.exe Token: 33 1188 wmic.exe Token: 34 1188 wmic.exe Token: 35 1188 wmic.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
edp_ragnarlocker.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddOpen.tif => C:\Users\Admin\Pictures\AddOpen.tif.ragnar_F0C1BF83 edp_ragnarlocker.exe File renamed C:\Users\Admin\Pictures\OptimizeSave.png => C:\Users\Admin\Pictures\OptimizeSave.png.ragnar_F0C1BF83 edp_ragnarlocker.exe File renamed C:\Users\Admin\Pictures\WaitExit.tif => C:\Users\Admin\Pictures\WaitExit.tif.ragnar_F0C1BF83 edp_ragnarlocker.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1108 notepad.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Drops startup file 1 IoCs
Processes:
edp_ragnarlocker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_F0C1BF83.txt edp_ragnarlocker.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
edp_ragnarlocker.exedescription pid process target process PID 1668 wrote to memory of 1188 1668 edp_ragnarlocker.exe wmic.exe PID 1668 wrote to memory of 1188 1668 edp_ragnarlocker.exe wmic.exe PID 1668 wrote to memory of 1188 1668 edp_ragnarlocker.exe wmic.exe PID 1668 wrote to memory of 1188 1668 edp_ragnarlocker.exe wmic.exe PID 1668 wrote to memory of 852 1668 edp_ragnarlocker.exe vssadmin.exe PID 1668 wrote to memory of 852 1668 edp_ragnarlocker.exe vssadmin.exe PID 1668 wrote to memory of 852 1668 edp_ragnarlocker.exe vssadmin.exe PID 1668 wrote to memory of 852 1668 edp_ragnarlocker.exe vssadmin.exe PID 1668 wrote to memory of 1108 1668 edp_ragnarlocker.exe notepad.exe PID 1668 wrote to memory of 1108 1668 edp_ragnarlocker.exe notepad.exe PID 1668 wrote to memory of 1108 1668 edp_ragnarlocker.exe notepad.exe PID 1668 wrote to memory of 1108 1668 edp_ragnarlocker.exe notepad.exe -
Drops file in Program Files directory 10160 IoCs
Processes:
edp_ragnarlocker.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\XML Files\Messenger.xml edp_ragnarlocker.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\ORIG98.POC edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml edp_ragnarlocker.exe File created C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1033\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Groove Starter Template.xsn edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif edp_ragnarlocker.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Brussels edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\ONENOTE_K_COL.HXK edp_ragnarlocker.exe File opened for modification C:\Program Files\PublishReceive.TTS edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran edp_ragnarlocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT edp_ragnarlocker.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx edp_ragnarlocker.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0237225.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF edp_ragnarlocker.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer edp_ragnarlocker.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar edp_ragnarlocker.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv edp_ragnarlocker.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\RGNR_F0C1BF83.txt edp_ragnarlocker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG edp_ragnarlocker.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID edp_ragnarlocker.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 852 vssadmin.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
edp_ragnarlocker.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 edp_ragnarlocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edp_ragnarlocker.exe"C:\Users\Admin\AppData\Local\Temp\edp_ragnarlocker.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_F0C1BF83.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\RGNR_F0C1BF83.txt
-
memory/852-101-0x0000000000000000-mapping.dmp
-
memory/1108-102-0x0000000000000000-mapping.dmp
-
memory/1188-100-0x0000000000000000-mapping.dmp
-
memory/1668-47-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-55-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-9-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-15-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-19-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-23-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-29-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-33-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-37-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-41-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-0-0x0000000002470000-0x0000000002481000-memory.dmpFilesize
68KB
-
memory/1668-49-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-51-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-7-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-61-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-63-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-65-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-69-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-79-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-87-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-89-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-97-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-5-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-3-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB
-
memory/1668-2-0x0000000002470000-0x0000000002481000-memory.dmpFilesize
68KB
-
memory/1668-1-0x0000000002880000-0x0000000002891000-memory.dmpFilesize
68KB