Overview

overview

10

Static

static

63096f288f...le.exe

windows7_x64

10

63096f288f...le.exe

windows10_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059.sample.exe

  • Size

    42KB

  • MD5

    0fbbc59d4fe280a55c1fb6f5502c1e73

  • SHA1

    af53890ed1d4753e7493d48862bdd7d18a2b11f6

  • SHA256

    63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059

  • SHA512

    20b87ac354cefa2b75e8edbe30b903c51e4f2c2cb49f59dd40732d964612a69b149cb10274feab5c6971c8adfc91fba11f1ebeba38e1b2d45c6b1b4d3dd37633

Score
10/10
ragnarlockerbootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_A3ED31EC.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO WEGLARZCO! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Reinstall your OS DO NOT Delete readme files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special DECRYPTION key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities. Don't waste your TIME, the link for contacting us will be deleted in closest future if there is no contact made and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! а) Download and install TOR browser from this site : https://torproject.org b) Open our website : http://mykgoj7uvqtgl367.onion/client/?61bcbDc31F1c894054C3B84aF53C35cF3005e1A69366A6e857a5a4fd60fb7184 c) If Tor is restricted in your area, use VPN Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- NjFiY2JEYzMxRjFjODk0MDU0QzNCODRhRjUzQzM1Y0YzMDA1ZTFBNjkzNjZBNmU4NTdhNWE0ZmQ2MGZiNzE4NA== ---RAGNAR SECRET--- ***********************************************************************************
URLs

http://mykgoj7uvqtgl367.onion/client/?61bcbDc31F1c894054C3B84aF53C35cF3005e1A69366A6e857a5a4fd60fb7184

Signatures

  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:224
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:184
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_A3ED31EC.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:212
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RGNR_A3ED31EC.txt
    MD5

    d19f356619cf3601b00701537298d885

    SHA1

    5b336b29b1e628f7cd888ebdc9c37daf3605bfec

    SHA256

    a6ce938b3bab8c4e494fd1c4067088229d46165ab7eee77f11424c62ebfaa6aa

    SHA512

    c14a92d300b28081626c7fde1bfb7ec5cd1674ea4e3f3f88f20ba58cfa20400f74dd68ca39c2119ed2f66153705cd1651b54266a49d2f6cf5609f2eb553fa46e

    Download Submit

  • memory/184-115-0x0000000000000000-mapping.dmp

    Download

  • memory/212-116-0x0000000000000000-mapping.dmp

    Download

  • memory/224-114-0x0000000000000000-mapping.dmp

    Download