Analysis

  • max time kernel
    70s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:59

General

  • Target

    c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe

  • Size

    47KB

  • MD5

    f7c48ee1f3ee1b18d255ad98703a5896

  • SHA1

    7c3a082237504d3bf36e47b986e02e014a2b8abc

  • SHA256

    c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6

  • SHA512

    5d5dd72488555f937aa23e674b69a0fc1eaeda38f66450858f3e9b8fe55160a02ece08ed4b6475a62810ebd24b2e2d83ae08ebf2df54b39c174f05027bb608ce

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_3CA64D43.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO EDP.com ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ATTENTION ! We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties. Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://p6o7m73ujalhgkiv.onion/?p=171 We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171 d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- NmJFQ0EyYjJBRkZmQkMxRGZmMGFhMEVhYUFkNDY4YmVjMDkwM2I1ZTRFYTU4ZWNkZTNDMjY0YkM1NWM3Mzg5RQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

http://p6o7m73ujalhgkiv.onion/?p=171

http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E

http://p6o7m73ujalhgkiv.onion/?page_id=171

Signatures

  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1540
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_3CA64D43.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

    Filesize

    8KB