Analysis
-
max time kernel
138s -
max time network
67s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
03-08-2020 10:01
General
-
Target
ragnar_locker_EDP (3).exe
-
Size
116KB
-
MD5
6d122b4bfab5e75f3ae903805cbbc641
-
SHA1
5197d1b54494f8cb043759b35e097c660a9e09ac
-
SHA256
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
-
SHA512
06621ff8e96fc2063f899321455dfdc264de3e2a820dd4b39d40f903ccd5e207ce5b17f08621ecb44aeb60432088e6875ed7e6888dbe9f34f71c5070a23552b4
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Documents\RGNR_AC7AABB2.txt
Family
ragnarlocker
Ransom Note
*****************************************************************************************************************
HELLO EDP.com !
If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
by RAGNAR_LOCKER !
*****************************************************************************************************************
!!!!! WARNING !!!!!
DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it also may damage files.
DO NOT Shutdown or reset your system
-------------------------------------
There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key !
For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities
Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA.
HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE.
ATTENTION !
We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties.
Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://p6o7m73ujalhgkiv.onion/?p=171
We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay,
all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links.
So if you want to avoid such a harm for your reputation, better pay the amount that we asking for.
==============================================================================================================
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
a) Download and install TOR browser from this site : https://torproject.org
b) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171
d) If Tor is restricted in your area, use VPN
When you open LIVE CHAT website follow rules :
Follow the instructions on the website.
At the top you will find CHAT tab.
Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn).
***********************************************************************************
---RAGNAR SECRET---
NmJFQ0EyYjJBRkZmQkMxRGZmMGFhMEVhYUFkNDY4YmVjMDkwM2I1ZTRFYTU4ZWNkZTNDMjY0YkM1NWM3Mzg5RQ==
---RAGNAR SECRET---
***********************************************************************************
URLs
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
-
Drops startup file 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Drops file in Program Files directory 10170 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (3).exe"C:\Users\Admin\AppData\Local\Temp\ragnar_locker_EDP (3).exe"1⤵
- Drops startup file
- Writes to the Master Boot Record (MBR)
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_AC7AABB2.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
-