Analysis

  • max time kernel
    220s
  • max time network
    365s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 08:58

General

  • Target

    data.exe

  • Size

    204KB

  • MD5

    fcd9a9e76d99cf8b85a817eee770a333

  • SHA1

    1a7a938bb4b88c9a840c0f2935663d3a207c3f26

  • SHA256

    0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6

  • SHA512

    ae1c9536e717efebd175ba6cd820740a007c0b31bdcff94aab6b55f940aee4e2406a1e1d6a83ca410ff0018ea049b856a3dc914c49faa3cf74b9e557faab58e5

Malware Config

Extracted

Path

C:\Users\Public\Documents\!!!_READ_ME_7E8535F5_!!!.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO Biologicale_Ltd ! IF YOU ARE READING THIS, IT'S MEAN YOUR DATA WAS ENCRYPTED AND YOU SENSITIVE PRIVATE INFORMATION WAS STOLEN! READ CAREFULLY THE WHOLE INSTRUCTION NOTES TO AVOID DIFFICULTIES WITH YOUR DATA by RAGNAR_LOCKER ! ***************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us via LIVE CHAT and pay for the special DECRYPTION KEY ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, to show that it Works. Don't waste your TIME, the link for contact us will be deleted if there is no contact made in closest time and you will NEVER restore your DATA. !!! HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ! WARNING ! Whole your network was fully COMPROMISED! We has BREACHED your security perimeter and DOWNLOADED your PRIVATE SENSITIVE Data, including your: Accounting, Financial, Confidential and/or Proprietary Business information, Medical Certificates, Clients and Employees personal information, Business Agreements and Contracts, Administrator's Folders and many other! Also we have your Private Corporate Correspondence, Emails and Workbooks, Private Documents and etc. If the deal wouldn't be made than all your data can be sold through an auction to any third-parties. - There are some screenshots just as a proofs of what we got on you. (you can find more on Leak Page) Screenshots: https://prnt.sc/v36ygd https://prnt.sc/v37089 https://prnt.sc/v36yxt https://prnt.sc/v36zio https://prnt.sc/v36xi8 https://prnt.sc/v370oi ------------------------------------- Whole data that gathered from your private files and directories could be SOLD to any third-parties and/or PUBLISHED in MASS MEDIA for BREAKING NEWS! Yours partners, clients and investors would be notified about LEAK, the consequences will have a DISASTROUS effect on your company's reputation! However if we make a Deal everything would be kept in Secret and all your data will be Restored, so it is much cheaper and easier way for you than lawsuits expenses. You can take a look for some more examples of what we have, right now it's a private, temporary and hidden page, but it could become permanent and accessable for Public View if you decide NOT pay. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg To view the page's content use password: Srw07kjats ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?384fAE1DDC9DE3D3b670f7961AEEAA6DBDaCfb972D6Fff48Baf0bcc6c1da2FAc c) To visit our NEWS LEAK BLOG with your data, open this website : http://p6o7m73ujalhgkiv.onion/?http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg ( password:Srw07kjats) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN RAGN KEY--- Mzg0ZkFFMUREQzlERTNEM2I2NzBmNzk2MUFFRUFBNkRCRGFDZmI5NzJENkZmZjQ4QmFmMGJjYzZjMWRhMkZBYw== ---END RAGN KEY--- ***********************************************************************************
URLs

https://prnt.sc/v36ygd

https://prnt.sc/v37089

https://prnt.sc/v36yxt

https://prnt.sc/v36zio

https://prnt.sc/v36xi8

https://prnt.sc/v370oi

http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg

http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?384fAE1DDC9DE3D3b670f7961AEEAA6DBDaCfb972D6Fff48Baf0bcc6c1da2FAc

http://p6o7m73ujalhgkiv.onion/?http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg

Signatures

  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data.exe
    "C:\Users\Admin\AppData\Local\Temp\data.exe"
    1⤵
    • Checks BIOS information in registry
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3264
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4688
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1652
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit /set {globalsettings} advancedoptions false
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1852
    • C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\!!!_READ_ME_7E8535F5_!!!.txt
      2⤵
        PID:3556
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:800
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:824

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Bootkit

    1
    T1067

    Defense Evasion

    File Deletion

    1
    T1107

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!!!_READ_ME_7E8535F5_!!!.txt
      MD5

      1674b7ab446d41ae994f4e8eff92a043

      SHA1

      6ee5bcaf2ee46a2e0347d5084090a2a47b16c078

      SHA256

      09aaf59a25a64cc1a73626680bbcae9aaba9bcd7e900db633dad42b08655e573

      SHA512

      7cf48e94934b720e2645e15cb1abdd3fe8b1e2565d308c0a6cf1f506532bdfa5a7aece531213937cd83def0e4900d5dc0bc3016a1904a2cb3f0570bcf2b41c8b

    • C:\Users\Public\Documents\!!!_READ_ME_7E8535F5_!!!.txt
      MD5

      1674b7ab446d41ae994f4e8eff92a043

      SHA1

      6ee5bcaf2ee46a2e0347d5084090a2a47b16c078

      SHA256

      09aaf59a25a64cc1a73626680bbcae9aaba9bcd7e900db633dad42b08655e573

      SHA512

      7cf48e94934b720e2645e15cb1abdd3fe8b1e2565d308c0a6cf1f506532bdfa5a7aece531213937cd83def0e4900d5dc0bc3016a1904a2cb3f0570bcf2b41c8b

    • memory/1652-119-0x0000000000000000-mapping.dmp
    • memory/1852-120-0x0000000000000000-mapping.dmp
    • memory/3264-117-0x0000000000000000-mapping.dmp
    • memory/3556-122-0x0000000000000000-mapping.dmp
    • memory/3608-116-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/3608-115-0x0000000000590000-0x0000000000592000-memory.dmp
      Filesize

      8KB

    • memory/4688-118-0x0000000000000000-mapping.dmp