Overview

overview

10

Static

static

ragnar_loc...in.exe

windows7_x64

10

ragnar_loc...in.exe

windows10_x64

10

Analysis

  • max time kernel
    58s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    03-08-2020 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ragnar_locker_WEGLARZCO.bin.exe

  • Size

    42KB

  • MD5

    0fbbc59d4fe280a55c1fb6f5502c1e73

  • SHA1

    af53890ed1d4753e7493d48862bdd7d18a2b11f6

  • SHA256

    63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059

  • SHA512

    20b87ac354cefa2b75e8edbe30b903c51e4f2c2cb49f59dd40732d964612a69b149cb10274feab5c6971c8adfc91fba11f1ebeba38e1b2d45c6b1b4d3dd37633

Score
10/10
ransomwarepersistencebootkitragnarlocker

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_F0C1BF83.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO WEGLARZCO! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Reinstall your OS DO NOT Delete readme files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special DECRYPTION key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities. Don't waste your TIME, the link for contacting us will be deleted in closest future if there is no contact made and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! а) Download and install TOR browser from this site : https://torproject.org b) Open our website : http://mykgoj7uvqtgl367.onion/client/?61bcbDc31F1c894054C3B84aF53C35cF3005e1A69366A6e857a5a4fd60fb7184 c) If Tor is restricted in your area, use VPN Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- NjFiY2JEYzMxRjFjODk0MDU0QzNCODRhRjUzQzM1Y0YzMDA1ZTFBNjkzNjZBNmU4NTdhNWE0ZmQ2MGZiNzE4NA== ---RAGNAR SECRET--- ***********************************************************************************
URLs

http://mykgoj7uvqtgl367.onion/client/?61bcbDc31F1c894054C3B84aF53C35cF3005e1A69366A6e857a5a4fd60fb7184

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops file in Program Files directory 10149 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker

Processes

  • C:\Users\Admin\AppData\Local\Temp\ragnar_locker_WEGLARZCO.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ragnar_locker_WEGLARZCO.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Writes to the Master Boot Record (MBR)
    PID:1456
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1944
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_F0C1BF83.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_F0C1BF83.txt
    Download Submit
  • memory/804-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-41-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-5-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-45-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-9-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-15-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-19-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-23-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-27-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-47-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-37-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-1-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-3-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-31-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-49-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-53-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-57-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-61-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-67-0x0000000002700000-0x0000000002711000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-0-0x0000000000D50000-0x0000000000D61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-2-0x0000000000D50000-0x0000000000D61000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1932-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1944-75-0x0000000000000000-mapping.dmp
    Download