Overview

overview

10

Static

static

ac16f3e235...79.exe

windows7_x64

10

ac16f3e235...79.exe

windows10_x64

10

Resubmissions

21-06-2021 10:17

210621-vjwq4ygkgx 10

21-06-2021 10:07

210621-j7925dp9fj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79.exe

  • Size

    54KB

  • Sample

    210621-j7925dp9fj

  • MD5

    be6adee5c7c72c3c1d2094e544f2eead

  • SHA1

    c9c2ad344d82c9977758488cff181d5474884d11

  • SHA256

    ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79

  • SHA512

    52a46a826097f20831df0d179494628dee536afd32cd8b5ff3140801381f2c98f09cfe1c01ff3f3611069570fa8232dfb4c7527f3e31f0142f5492a0c37d2f86

Score
10/10
ragnarlockerbootkitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Documents\!$R4GN4R_3CA64D43$!.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO test_comapny ! IF YOU ARE READING THIS, IT'S MEAN YOUR DATA WAS ENCRYPTED AND YOU SENSITIVE PRIVATE INFORMATION WAS STOLEN! READ CAREFULLY THE WHOLE INSTRUCTION NOTES TO AVOID DIFFICULTIES WITH YOUR DATA by RAGNAR_LOCKER ! ***************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES ------------------------------------- TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES TEST NOTES ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?0242cdcD7eecbbAcB371c06DDC8feBAD516219353c5369dCBb5da0DfD6Ac94bc c) To visit our NEWS LEAK BLOG with your data, open this website : http://p6o7m73ujalhgkiv.onion/ d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN KEY R_R--- MDI0MmNkY0Q3ZWVjYmJBY0IzNzFjMDZEREM4ZmVCQUQ1MTYyMTkzNTNjNTM2OWRDQmI1ZGEwRGZENkFjOTRiYw== ---END KEY R_R--- ***********************************************************************************
URLs

http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?0242cdcD7eecbbAcB371c06DDC8feBAD516219353c5369dCBb5da0DfD6Ac94bc

http://p6o7m73ujalhgkiv.onion/

Targets

    • Target

      ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79.exe

    • Size

      54KB

    • MD5

      be6adee5c7c72c3c1d2094e544f2eead

    • SHA1

      c9c2ad344d82c9977758488cff181d5474884d11

    • SHA256

      ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79

    • SHA512

      52a46a826097f20831df0d179494628dee536afd32cd8b5ff3140801381f2c98f09cfe1c01ff3f3611069570fa8232dfb4c7527f3e31f0142f5492a0c37d2f86

    Score
    10/10
    ragnarlockerbootkitevasionpersistenceransomware

    • RagnarLocker

      Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

      ransomwareragnarlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Tasks