Overview

overview

10

Static

static

b72beb391c...le.exe

windows7_x64

10

b72beb391c...le.exe

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    02-05-2021 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.sample.exe

  • Size

    224KB

  • MD5

    989ee63147c4bcd4f6d46be0fb1c3a9f

  • SHA1

    da7338c8027cf9da934479c1fd3317f376639917

  • SHA256

    b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246

  • SHA512

    e0ef202a4584b34d46b2052ec4a708df4ca0e1064158df73bd84b8235d307c8e342ca8f93e9fbc6fa4268a857503468d33400619bc20c8225c1083b1576df382

Score
10/10
ragnarlockerbootkitpersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_3CA64D43.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO EDP.com ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ATTENTION ! We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties. Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://p6o7m73ujalhgkiv.onion/?p=171 We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171 d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- NmJFQ0EyYjJBRkZmQkMxRGZmMGFhMEVhYUFkNDY4YmVjMDkwM2I1ZTRFYTU4ZWNkZTNDMjY0YkM1NWM3Mzg5RQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

http://p6o7m73ujalhgkiv.onion/?p=171

http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E

http://p6o7m73ujalhgkiv.onion/?page_id=171

Signatures

  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Loads dropped DLL
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.samplemgr.exe
      C:\Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.samplemgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1544
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:316
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1472
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_3CA64D43.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:824
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C1278081-AB5C-11EB-A1DA-5A6828A642A0}.dat
    MD5

    b42c667be0735db3089bcc45b4e83ea0

    SHA1

    401b0d2996c18a6064fb532d070b66c7a5710fce

    SHA256

    d2a0dee90c0f59b76aaac9d3cc602704fe99fd1c893563d126bdbe2256fc80da

    SHA512

    dc4ac8e1465d39dcfb35be93ffca42e634b806381988f9b4b268fece297938ee88f74a360c682eaf3cc0980bf77650ac6e97d12db27ac6bba1de014c2ac475af

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C12ED381-AB5C-11EB-A1DA-5A6828A642A0}.dat
    MD5

    076529124a91150ca05865d2e6cd96cc

    SHA1

    92a007937d8303524e42adb6b703a1fe94b63255

    SHA256

    5a4cbacfc17aff8b62c592caf348d88a88a72a5490c4dccb6f8662f074ebf202

    SHA512

    9a076844ac1a87546cbf2935d4f9be9c84beb61f5b5272def803e090816cedc0e0a7956ce256e126c11dc5b81f260d378a805a09651f296e72566f3bc68abb41

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{6CE03070-99CC-11EB-A1DB-C2EBB310CB62}.dat
    MD5

    0408effed3ba7529a03a485779de30e6

    SHA1

    6a286fd720483efeb98cc42670d8b69c15d2b914

    SHA256

    cad88d4cd91e5cc379f100aeb8c5e065af55f58e10b8d841fc6c5e75cb734a38

    SHA512

    2e22edfe59b94c5e6e4fad2e99b3048c67fb3fe937cc220ca4b7ba4f9f7ad3789ef357b057b8d6b842b860ca7990e07ddca16584dc5a86c13116f229aa884134

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{CD3BF860-AB5C-11EB-A1DA-5A6828A642A0}.dat
    MD5

    d22830999e50e126e4009ff077f49f4f

    SHA1

    09a913e08ef4b418ec5e123873af8771496f8c63

    SHA256

    1f27f84a720ad0ce80936a82e99097febd4b87eb69b315b5c05ed54cb93897e8

    SHA512

    1cf23357fae0863ace48328701053f45c0550786837deec51d1b8841337091c7fc72f2d506cf15deda00df13398ab61c79f546275272c8918e20ad40fa62059c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.samplemgr.exe
    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit
  • C:\Users\Public\Documents\RGNR_3CA64D43.txt
    MD5

    ebb1e76a32908e6653c933364985f639

    SHA1

    69fc0b1ed4cd4548bb4ebbe3d9f2bf7934735ff7

    SHA256

    1c6ab30444efec425084c396107d7f66371bfc526f6f11480263de22a8233c8f

    SHA512

    e35ebebb5c69e26127be6246ca44d8819cc19cbb7fa9eaa861367b414605eb71b66e440fd5bfa404ab950730053e87d5c7daf0bbab7296ee8bd724c81f730abe

    Download Submit
  • \Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.samplemgr.exe
    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit
  • \Users\Admin\AppData\Local\Temp\b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246.bin.samplemgr.exe
    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit
  • memory/316-69-0x0000000000000000-mapping.dmp
    Download
  • memory/824-85-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-76-0x0000000000220000-0x0000000000222000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1200-68-0x00000000768B1000-0x00000000768B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1200-77-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1224-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1224-80-0x0000000004010000-0x0000000004011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-73-0x0000000002240000-0x0000000002242000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-67-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-83-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-66-0x0000000000630000-0x0000000000631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-75-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/2032-74-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-62-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-64-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

    Download