Overview

overview

10

Static

static

8

ragnar_loc...e_.exe

windows7_x64

10

ragnar_loc...e_.exe

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    03-08-2020 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ragnar_locker_Omniga.de_.exe

  • Size

    5.9MB

  • MD5

    8d986c2f6a23ad4b1624f6e3ee55d3a2

  • SHA1

    50ae8d51e9bc3fc5264c7ff2d0b18b68e8164f84

  • SHA256

    cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8

  • SHA512

    11736427ffeef18686968b798a9d123151f0e9f031d6b6f5bf473da4dea1ea74b466b6437d2b87fd8fa571f0f786e179838e8821d30922a54c711ebcd9973dc7

Score
10/10
ransomwarebootkitpersistenceragnarlocker

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_F0C1BF83.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO Omniga.de ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We had downloaded your private information including billing info, clients private data, contracts, agreements and a lot of other sensitive information. Also we take your SQL server DB,access to leadership's mails and correspondence, admin credentials, VPN-servers, Backup shares, Cloud host, and a lot of other info from your Network. You can check some proofs here: https://prnt.sc/s5g6gr https://prnt.sc/s5g79t https://prnt.sc/s5gkxh Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can take a look on some examples of what we have, right now it's a private hidden page. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/temporary-de-page-424/ to view the page's content use password: OmnigUdk$912f If you wouldn't PAY, we will publish this post with much more information available for Downloading. In mass media breaking news about the leak will make a lot of noise in every IT-journals, blogs, sites etc. Besides, your private data will be sold out on Darknet forums! To avoid such troubles and lawsuits from your clients and partners it's better to make a deal with us. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://stppd5as5x4hxs45.onion/client/?0dFE0B7BAA7C7801ddd746B1DC5ad44bAD82Fc0f77DAC01bD3cf3D2D9deB94bC c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/temporary-de-page-424/ ( password: OmnigUdk$912f ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- MGRGRTBCN0JBQTdDNzgwMWRkZDc0NkIxREM1YWQ0NGJBRDgyRmMwZjc3REFDMDFiRDNjZjNEMkQ5ZGVCOTRiQw== ---RAGNAR SECRET--- ***********************************************************************************
URLs

https://prnt.sc/s5g6gr

https://prnt.sc/s5g79t

https://prnt.sc/s5gkxh

http://p6o7m73ujalhgkiv.onion/temporary-de-page-424/

http://stppd5as5x4hxs45.onion/client/?0dFE0B7BAA7C7801ddd746B1DC5ad44bAD82Fc0f77DAC01bD3cf3D2D9deB94bC

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Drops file in Program Files directory 10168 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ragnar_locker_Omniga.de_.exe
    "C:\Users\Admin\AppData\Local\Temp\ragnar_locker_Omniga.de_.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Writes to the Master Boot Record (MBR)
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in Program Files directory
    • Modifies extensions of user files
    PID:1612
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:828
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_F0C1BF83.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_F0C1BF83.txt
    Download Submit

  • memory/828-101-0x0000000000000000-mapping.dmp

    Download

  • memory/1364-100-0x0000000000000000-mapping.dmp

    Download

  • memory/1564-102-0x0000000000000000-mapping.dmp

    Download

  • memory/1612-45-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-55-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-9-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-13-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-19-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-23-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-27-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-33-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-37-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-41-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-0-0x0000000002800000-0x0000000002811000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-47-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-51-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-7-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-59-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-63-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-69-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-77-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-87-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-89-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-97-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-5-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-3-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-2-0x0000000002800000-0x0000000002811000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1612-1-0x0000000002C10000-0x0000000002C21000-memory.dmp

    Filesize

    68KB

    Download