ragnarlocker | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1802s
max time network
1786s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Size

39KB
MD5

6171000983cf3896d167e0d8aa9b94ba
SHA1

b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18
SHA256

9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
SHA512

1b10008d5eaeb3755c899334d416e8d0a30695e093dc597b21e630fd8bde4b9c5d808fd2663f1acd7489e33b947660dacdb80f7f3aa4911cd24d605cfc44e73a
SSDEEP

768:spCmKJILjsoq65corBjd/3oqab0k3RLKul1FX8xUtE:splco4aFoqaXpTX8xa

Score

10^/10

ragnarlocker bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_0540BF83.txt

Ransom Note

Hello PSE_CREDIT_UNION ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1E6EjTqYPHLj1uovPKKRXzMpPCcpAcVuiU Amount to pay (in Bitcoin): 60 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- MmE2RjY2N2YwNUZlYmRERjNhZGY4MWY0Y0NiMUEwNEIwRkYyQUZhNDE5QjEwNzYzODhGZjE2QWM5ZGFEYzEwYg== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1E6EjTqYPHLj1uovPKKRXzMpPCcpAcVuiU

URLs

https://tox.chat/download.html

Signatures

RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Ragnar_11_02_2020_40KB.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreFormat.png => C:\Users\Admin\Pictures\RestoreFormat.png.ragnar_0540BF83	Ragnar_11_02_2020_40KB.exe
File renamed	C:\Users\Admin\Pictures\ResumeOpen.png => C:\Users\Admin\Pictures\ResumeOpen.png.ragnar_0540BF83	Ragnar_11_02_2020_40KB.exe
File renamed	C:\Users\Admin\Pictures\ApproveEnable.png => C:\Users\Admin\Pictures\ApproveEnable.png.ragnar_0540BF83	Ragnar_11_02_2020_40KB.exe
File renamed	C:\Users\Admin\Pictures\RenameRevoke.crw => C:\Users\Admin\Pictures\RenameRevoke.crw.ragnar_0540BF83	Ragnar_11_02_2020_40KB.exe

Drops startup file 1 IoCs

Processes:

Ragnar_11_02_2020_40KB.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_0540BF83.txt Ragnar_11_02_2020_40KB.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Ragnar_11_02_2020_40KB.exe

description ioc process

File opened (read-only) \??\E: Ragnar_11_02_2020_40KB.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Ragnar_11_02_2020_40KB.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 Ragnar_11_02_2020_40KB.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe

description	ioc	process
File opened (read-only)	\??\E:	Ragnar_11_02_2020_40KB.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	Ragnar_11_02_2020_40KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

Ragnar_11_02_2020_40KB.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-lightunplated.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-200.png	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\CamMDL2.ttf	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-150.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-unplated_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.Tile.winmd	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-100.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-unplated.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-100.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-200.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-16_altform-unplated.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-48.png	Ragnar_11_02_2020_40KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-lightunplated.png	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RGNR_0540BF83.txt	Ragnar_11_02_2020_40KB.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ragnar_11_02_2020_40KB.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	Ragnar_11_02_2020_40KB.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Ragnar_11_02_2020_40KB.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Ragnar_11_02_2020_40KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	Ragnar_11_02_2020_40KB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	Ragnar_11_02_2020_40KB.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1292 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1120 notepad.exe

pid	process
1292	vssadmin.exe

pid	process
1120	notepad.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3172	wmic.exe
Token: SeSecurityPrivilege	3172	wmic.exe
Token: SeTakeOwnershipPrivilege	3172	wmic.exe
Token: SeLoadDriverPrivilege	3172	wmic.exe
Token: SeSystemProfilePrivilege	3172	wmic.exe
Token: SeSystemtimePrivilege	3172	wmic.exe
Token: SeProfSingleProcessPrivilege	3172	wmic.exe
Token: SeIncBasePriorityPrivilege	3172	wmic.exe
Token: SeCreatePagefilePrivilege	3172	wmic.exe
Token: SeBackupPrivilege	3172	wmic.exe
Token: SeRestorePrivilege	3172	wmic.exe
Token: SeShutdownPrivilege	3172	wmic.exe
Token: SeDebugPrivilege	3172	wmic.exe
Token: SeSystemEnvironmentPrivilege	3172	wmic.exe
Token: SeRemoteShutdownPrivilege	3172	wmic.exe
Token: SeUndockPrivilege	3172	wmic.exe
Token: SeManageVolumePrivilege	3172	wmic.exe
Token: 33	3172	wmic.exe
Token: 34	3172	wmic.exe
Token: 35	3172	wmic.exe
Token: 36	3172	wmic.exe
Token: SeIncreaseQuotaPrivilege	3172	wmic.exe
Token: SeSecurityPrivilege	3172	wmic.exe
Token: SeTakeOwnershipPrivilege	3172	wmic.exe
Token: SeLoadDriverPrivilege	3172	wmic.exe
Token: SeSystemProfilePrivilege	3172	wmic.exe
Token: SeSystemtimePrivilege	3172	wmic.exe
Token: SeProfSingleProcessPrivilege	3172	wmic.exe
Token: SeIncBasePriorityPrivilege	3172	wmic.exe
Token: SeCreatePagefilePrivilege	3172	wmic.exe
Token: SeBackupPrivilege	3172	wmic.exe
Token: SeRestorePrivilege	3172	wmic.exe
Token: SeShutdownPrivilege	3172	wmic.exe
Token: SeDebugPrivilege	3172	wmic.exe
Token: SeSystemEnvironmentPrivilege	3172	wmic.exe
Token: SeRemoteShutdownPrivilege	3172	wmic.exe
Token: SeUndockPrivilege	3172	wmic.exe
Token: SeManageVolumePrivilege	3172	wmic.exe
Token: 33	3172	wmic.exe
Token: 34	3172	wmic.exe
Token: 35	3172	wmic.exe
Token: 36	3172	wmic.exe
Token: SeBackupPrivilege	4108	vssvc.exe
Token: SeRestorePrivilege	4108	vssvc.exe
Token: SeAuditPrivilege	4108	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Ragnar_11_02_2020_40KB.exe

description	pid	process	target process
PID 1708 wrote to memory of 3172	1708	Ragnar_11_02_2020_40KB.exe	wmic.exe
PID 1708 wrote to memory of 3172	1708	Ragnar_11_02_2020_40KB.exe	wmic.exe
PID 1708 wrote to memory of 1292	1708	Ragnar_11_02_2020_40KB.exe	vssadmin.exe
PID 1708 wrote to memory of 1292	1708	Ragnar_11_02_2020_40KB.exe	vssadmin.exe
PID 1708 wrote to memory of 1120	1708	Ragnar_11_02_2020_40KB.exe	notepad.exe
PID 1708 wrote to memory of 1120	1708	Ragnar_11_02_2020_40KB.exe	notepad.exe
PID 1708 wrote to memory of 1120	1708	Ragnar_11_02_2020_40KB.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ragnar_11_02_2020_40KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ragnar_11_02_2020_40KB.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1292
- C:\Windows\SysWOW64\notepad.exe
  C:\Users\Public\Documents\RGNR_0540BF83.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\RGNR_0540BF83.txt

Filesize
3KB

MD5
a542fcfee82ad3375a5adf7df8997d88

SHA1
b6a001fae92f9e8f4d580438b7170fd29d4f0722

SHA256
11d42766b1cb0b76e7d3d040ddd90ea8243992145d831852b277e3b0d670f1e0

SHA512
89a81e4ea3746d4c880fe7a50f00b259c66938eb776a43c9f6518bdb3f3f3f4808a120451e09e3bbe82b5175924d17aaf36a9b60f4530888d1d1fb985ffd76e0

Download Submit
memory/1120-134-0x0000000000000000-mapping.dmp

Download
memory/1292-133-0x0000000000000000-mapping.dmp

Download
memory/3172-132-0x0000000000000000-mapping.dmp

Download