General

  • Target

    afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68.sample

  • Size

    5.7MB

  • Sample

    210726-qhr7wwgqx6

  • MD5

    14e0a802b64a6ce08f1ee408655257e4

  • SHA1

    5c7b10241c27005b804119be34b18d9ae38c2d39

  • SHA256

    afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68

  • SHA512

    a885622588a200097f5bd8e22ccf96d370ceb53883e4b680fcbd19a1d38a1ed81558f40fce7941e95da708508a842b75a58937e1d7d10c4e0f0d8ad50e82086c

Malware Config

Extracted

Path

C:\Users\Public\Documents\!!!_READ_ME_3CA64D43_!!!.txt

Ransom Note
*************************************************************************************************************** HELLO Campari_Group ! If you reading this message, it means your network was PENETRATED and all of your files and data has been ENCRYPTED by R A G N A R L O C K E R ! *************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us via LIVE CHAT and pay for the special DECRYPTION KEY ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, to show that it Works. Don't waste your TIME, the link for contact us will be deleted if there is no contact made in closest time and you will NEVER restore your DATA. !!! HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ! WARNING ! ! Whole your International Corporate Network was fully COMPROMISED ! We have BREACHED your security perimeter and get access to every server of company's Network in different countries across all your international offices. So we has DOWNLOADED more than 2TB total volume of your PRIVATE SENSITIVE Data, including: -Accounting files, Banking Statements, Government letters, Licensing certificates -Confidential and/or Proprietary Business information, Celebrity Agreements, Clients and Employees Personal information (including Social Security Numbers, Addresses, Phone numbers and etc.) -Corporate Agreements and Contracts with distributors, importers, retailers, Non-Disclosure Agreements -Also we have your Private Corporate Correspondence, Emails and Workbooks, Marketing presentations, Audit reports and a lot of other Sensitive Information If NO Deal made than all your Data will be Published and/or Sold through an auction to any third-parties - There are some screenshots just as a proofs of what we got on you. (you can find more on Temporary Leak Page) Screenshots: https://prnt.sc/va9w5v https://prnt.sc/vam4mz https://prnt.sc/val3ll https://prnt.sc/vaa5kh https://prnt.sc/va9xdb https://prnt.sc/va9z18 https://prnt.sc/va9wwj https://prnt.sc/vaad5d ------------------------------------- Whole data that gathered from your private file-servers and directories could be SOLD to any third-parties and/or PUBLISHED in MASS MEDIA for BREAKING NEWS! Yours partners, clients and investors would be notified about the LEAK, the consequences of LEAK will have a DISASTROUS effect on your company's stock index and reputation. So better contact us ASAP to resolve this issue. If we make a Deal everything would be kept in Secret and all your Data will be Restored, so it is much cheaper and easier way for you to make deal with us, than to pay lawsuit expenses. You can take a look for some more examples of what we have, right now it's a private, temporary and hidden page. But it could be supplemented and become permanent and accessable for Public View if you decide NOT pay. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg To view the page's content use password: WrNz8hSLai ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?8035A17A1e1cdaABB8BfDecEC0e94FA224C1Fc86D09C60540E56e972EDa7327c c) To visit TEMPORARY LEAK PAGE with your data on our News Blog, open this website : http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg ( password: WrNz8hSLai ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN RAGN KEY--- ODAzNUExN0ExZTFjZGFBQkI4QmZEZWNFQzBlOTRGQTIyNEMxRmM4NkQwOUM2MDU0MEU1NmU5NzJFRGE3MzI3Yw== ---END RAGN KEY--- ***********************************************************************************
URLs

https://prnt.sc/va9w5v

https://prnt.sc/vam4mz

https://prnt.sc/val3ll

https://prnt.sc/vaa5kh

https://prnt.sc/va9xdb

https://prnt.sc/va9z18

https://prnt.sc/va9wwj

https://prnt.sc/vaad5d

http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg

http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?8035A17A1e1cdaABB8BfDecEC0e94FA224C1Fc86D09C60540E56e972EDa7327c

Targets

    • Target

      afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68.sample

    • Size

      5.7MB

    • MD5

      14e0a802b64a6ce08f1ee408655257e4

    • SHA1

      5c7b10241c27005b804119be34b18d9ae38c2d39

    • SHA256

      afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68

    • SHA512

      a885622588a200097f5bd8e22ccf96d370ceb53883e4b680fcbd19a1d38a1ed81558f40fce7941e95da708508a842b75a58937e1d7d10c4e0f0d8ad50e82086c

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

File Deletion

1
T1107

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks