Analysis
-
max time kernel
62s -
max time network
21s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
23/09/2020, 11:33
General
-
Target
l.exe
-
Size
5.4MB
-
MD5
d735552452a4c85c6f7cbacb67bafa38
-
SHA1
94a55c38e34930ac4a11bef628b3678721759179
-
SHA256
4110e5497ebc7f2f587412c08967e815d142494a1027ef235c375d2841bc0b6a
-
SHA512
7627870b3f097cd12257f55e1165f4fd4662adb1a9ce88cb2f4198109e11a9ca7c5c5e76c8a5b9072034fae094e71561d49d3e53f7765b8776c861f3d3a70ed4
Score
10/10
Malware Config
Extracted
Path
C:\!!ReadMe_To_Decrypt_My_Files.txt
Family
ragnarok
Ransom Note
It's not late to say happy new year right? but how didn't i bring a gift as the first time we met :)
#what happend to your files?
Unfortunately your files are encrypted with rsa4096 and aes encryption,you won't decrypt your files without our tool
but don't worry,you can follow the instructions to decrypt your files
1.obviously you need a decrypt tool so that you can decrypt all of your files
2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay
3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID
4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus
5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid
6.it's wise to pay as soon as possible it wont make you more losses
the ransome: 1 btcoin for per machine,5 bitcoins for all machines
how to buy bitcoin and transfer? i think you are very good at googlesearch
[email protected]
[email protected]
[email protected]
Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted
YOUR DEVICE ID:
AwCLaVESJtkSMVEL4gjR3Y0NxEDMygTOGFTM2YUM0MzN0kDO2MDMDN0MEFTQFJEOxEjM5MTMzEENyUTN5MUO5ATNEVjNzgzM5QUN0YzNFZ0QxU0NGRzMxQTOChzN0EkQzgjQ5gDOFdTQFhjR3IENFZEO1MjNxQDNxYEO5YTOxIDN4gDOzMTO0ADN5EzMxUUM4MzM5gzQ4QENEFzM4QkNxMUO1MDMCNUNycjNyEzMycTM5EDN3IEOBFUNBVkNzIzMEVzQ3YkRwI0N0M0N2QTNBlTNBZUNFRzQClDMxkTRCdzNChjRzMDMDNzMEJkNFRDR5YDR4QDRzQkMEJUMCVkNERTOyEERyAjRCdTQ4ITMGZTRCNDO3U0NyU0MyQzM1ATN2EER1UzN5QUR0kjMGZ0NGVTODV0QDVDOykTN3YjQ4YDOCFTMyIjQyUEO3EEN1EzN2kTN4UjRCRkN3MkQwEUM5MkR5YDMzMzM5EUNyITNFRjQ3UkM3E0N2QEOwEURxADR3E0NCFTN3Q0N4kzQwgzMCdzQ5gTNGFTNDJ0NDdjM4I0QzIUQ5M0M5gDN2UEMCJUQxUzQGJERxQkRGhDO1Q0M4IkM5cjQ3YENxkjNCNENCFUR0YTNBNEO0MzNBNzQChjMyQkNDRURFNERzIDNxEkRGRUNGJDOGZUR4QTMyUTNwI0MwEDO0YTM0EkQzMTQGZzM3QTO2gzQ5UENBF0Q1cTQ5ATQFVUMFNjNyUENFJUMBZER4MkRBljQzMUMDlDR0IkNCVkR0IERzYERCFTM0UDR2ATOFhDO3U0MCZkNDNEOGVUQ1MjMCRDMGBjQxIjRyETREdjM1kzQ1M0M2QzM3MTR5cTNxgTQDFER4gTQFNUREJ0QFVUQ3IUR5ETOCFjMBhTR0YDOFZUM2YDOGVTRGNEMDFzN4IkNCBzQBBDN0YDRDFDRwUEMBJzNGZURFVUM0EzQ1EkQzgDRBlTRyATM0EzQ3UkMwMkMyMkQBRTN1IDR5EDRygDR0czMEF0Q1YUMBhDMChTMGFzNxYUMCRDMFhTOENUQBJzQ0UUR3AjQ3Y0QElDN0kjRzIkN5MUMCNTMDVUN2cjMDhjN5QTMxQjMCRjR1YjRFJkNyUTO5kjMzYkQFNDNzAjM5cjQ4kjRyIkRycDRygTO2gTRwMjMyQjNzI0M2gTM2MTMzIkMwQ0NDRDRzQzNEZjMDJkQBJEM4EjR3gTNyEkN5kTO0IzQFJERBNjNxgzM4EER0MTR5E0M3ETNBFkNBlDR2MkNBdDOCRUMBZjRCFjREdTQDlDMDNEO0QEN5gzM2IzM1kjQ5UUQxQTNDR0N2YjRyEzQ4IURxUDN
Signatures
-
Ragnarok
Ransomware family deployed from Citrix servers infected via CVE-2019-19781.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Modifies service 2 TTPs 10 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies service
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken