Overview

overview

10

Static

static

8

ragnar_loc...1).exe

windows7_x64

10

ragnar_loc...1).exe

windows10_x64

10

Analysis

  • max time kernel
    56s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    03-08-2020 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ragnar_locker_EDP (1).exe

  • Size

    69KB

  • MD5

    00fb3f27bccef7c5658ff9f5ce487cec

  • SHA1

    c24fedb9b8a592722d5a9adb34d276fc3b329d6f

  • SHA256

    b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186

  • SHA512

    a2346683bbdb5c7d939c0eaa4fb3a411681fedfbf90bea2866482b699da56aeaa4a5b3ffe5f8f24fdb5f4966dd22b8293ed1ee0eed4552dd9bb81f708e2e0235

Score
10/10
ransomwarepersistencebootkitragnarlocker

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_F0C1BF83.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO EDP.com ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ATTENTION ! We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties. Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://p6o7m73ujalhgkiv.onion/?p=171 We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171 d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- NmJFQ0EyYjJBRkZmQkMxRGZmMGFhMEVhYUFkNDY4YmVjMDkwM2I1ZTRFYTU4ZWNkZTNDMjY0YkM1NWM3Mzg5RQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

http://p6o7m73ujalhgkiv.onion/?p=171

http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E

http://p6o7m73ujalhgkiv.onion/?page_id=171

Signatures

  • Suspicious use of WriteProcessMemory 12 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 10173 IoCs
  • Drops startup file 1 IoCs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe
    "C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in Program Files directory
    • Drops startup file
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Writes to the Master Boot Record (MBR)
    PID:832
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1908
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1988
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_F0C1BF83.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1332
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_F0C1BF83.txt
    Download Submit
  • memory/832-43-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-1-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-37-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-5-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-7-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-11-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-15-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-19-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-23-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-29-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-31-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-33-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-3-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-2-0x0000000002360000-0x0000000002371000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-89-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-51-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-55-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-61-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-65-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-69-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-79-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-47-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-97-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

    Download
  • memory/832-0-0x0000000002360000-0x0000000002371000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1332-102-0x0000000000000000-mapping.dmp
    Download
  • memory/1908-100-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-101-0x0000000000000000-mapping.dmp
    Download