Overview

overview

10

Static

static

8

l.exe

windows7_x64

10

l.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    23/09/2020, 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    l.exe

  • Size

    5.4MB

  • MD5

    d735552452a4c85c6f7cbacb67bafa38

  • SHA1

    94a55c38e34930ac4a11bef628b3678721759179

  • SHA256

    4110e5497ebc7f2f587412c08967e815d142494a1027ef235c375d2841bc0b6a

  • SHA512

    7627870b3f097cd12257f55e1165f4fd4662adb1a9ce88cb2f4198109e11a9ca7c5c5e76c8a5b9072034fae094e71561d49d3e53f7765b8776c861f3d3a70ed4

Score
10/10
ransomwareevasionpersistencespywareragnarok

Malware Config

Extracted

Path

C:\!!ReadMe_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note
It's not late to say happy new year right? but how didn't i bring a gift as the first time we met :) #what happend to your files? Unfortunately your files are encrypted with rsa4096 and aes encryption,you won't decrypt your files without our tool but don't worry,you can follow the instructions to decrypt your files 1.obviously you need a decrypt tool so that you can decrypt all of your files 2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay 3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID 4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus 5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid 6.it's wise to pay as soon as possible it wont make you more losses the ransome: 1 btcoin for per machine,5 bitcoins for all machines how to buy bitcoin and transfer? i think you are very good at googlesearch [email protected] [email protected] [email protected] Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted YOUR DEVICE ID: AwCLV9USMtUVaxEL3EzMGV0NGVkQ3cTREFURGRzMyYTODJkMykjQ1cDO4IkMCNjMEFDNFFTODZEMyYUOGRjMCZENBJUMyM0QCZzN0UTM1YjRyEjRDlTMENDO2UjR4gjN1cjMFNUO0EkQ1EEN2YzMDJkQ0QzNCVURCNURyUkM4YjQzYDR2IERCdjQwUUQ1MjM0IzQFZUR5Q0QxgjQEJTMCVUN1MDN2Q0MBljQykzM1kTO5EzNzATR2QkNDJkQ4kTQ5QUO0QzNxIjM1QkMBhzN4EDRGVUOzIDMGJUM5EjQEdjRGJkR5ATMwUER5QTO4QkM5cDR0UTMGNjMGFjR3kDR4ITRCJTR1MDR0U0Q3UTO3UjQGRDR0YkQ2gDNwMUO1gTQwQTMzEUO5kjQFVTN4IENzUjQ5YDMCdTM0QzM2gjM1YDRFV0MyYkNEJ0Q1YjQ4UjMzEjMENURBBDO0kTRxYUR1UEN5MjN0gDNFZzMzEDO0AjQxgjMykTMEZjQ5AjR1IDNFZUNBlDNzkDRBR0Q2kjMBZTOxQjRFN0MzgTOxIzQzIUMyMzN1UkM4UTMBhDOERzN1UEO3QTQElDOzUUQEREOxUUOBJkRxUjQ1QkNyMkQ3MzNCVDR1UkN4YzMwQUR1UzQEJzNBNUQ5MzMFRERwMkNCRDR0gDRCNjMyE0QwIzN1Q0NEdDMBRjRCNkNBdTMyYENDV0M5IDOxMTRGJzQFN0Q5MkM1MDOyYTQBJjNzIkMBBjQChjQ3gzQ4UkN3kTR5UjMyUzM5IDRyM0N4UTNBJTN0EkN5ETMBFURBVDOGFTR1ETMDJ0NElDR4AzM2EzMGhTR0IjRDdzQDJDO3EUQzMkQzUzNFV0Q3IUQ1QjQ1IEMCNEOxYjMxQzQFZjMzIjN1QEMzI0N3YjNEhjN0IUNwcTQBlTQyIDO5MTRBNjM5EUQ0UTN4MUQCNjQ5EUQ3cTQ2EUN5IzMCNUOFNkM2EjQBZERBNDM4YUR1IDM5kzM0EjNyMTMDFTMGhjNDNEOyIzQ0QjMzQUOxcTM4YDN1MTM1YDR3QjN4gzM2UTOERkN2gDR1YUQGlDODVkRzITNzYTOChDNFZkMDZUQxYDN0QENEhjQ5YDN3UkR5Y0NERDMGNER3kzNwIjQyIUR3MURFdjRxcDM4EzN5EEOGlTOxEzN2gjNDVzN3UEO4IENxIUMykTQDRkM5MTQ4UTMxIjQ4QjM4IUQxcDMxIzQCZ0MxEEOBNjMyIUMxYENEFkQ2IjN0YUQ2EkNyIjQ0IzMxkzQ1UjN1UTOzQEMxMTM0E0NEZzMDFjNwUUM3MTRyIDMGVTOxEER5IUMzMUOFhjQ5EUNBFTO

Signatures

  • Ragnarok

    Ransomware family deployed from Citrix servers infected via CVE-2019-19781.

    ransomwareragnarok
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 25 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l.exe
    "C:\Users\Admin\AppData\Local\Temp\l.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3076
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1668
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3752
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
          PID:1016
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\8990cb50320d408faf55141ba0a34050 /t 3028 /p 3024
      1⤵
        PID:3896
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!ReadMe_To_Decrypt_My_Files.txt
          2⤵
          • Suspicious use of FindShellTrayWindow
          PID:3536
      • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3588
      • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
        "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        1⤵
        • Modifies Control Panel
        • Suspicious use of SetWindowsHookEx
        PID:244

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads