Overview

overview

10

Static

static

3

since1969.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2023, 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    since1969.exe

  • Size

    210KB

  • MD5

    48452dd2506831d0b340e45b08799623

  • SHA1

    74993759f49d123ec334111f29cdbbf2e0276b58

  • SHA256

    b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c

  • SHA512

    5a0b4f5884ae2d302661b0581ab2475c1403555af0f531e1d0c29e240454dfe9979a32979d30856c5ad5da0ea1ffac1ec2c16eb6fa07b7ece74e069fcf2e5958

  • SSDEEP

    3072:LNWPHNek0igmpXlZwbvsBQUbtqJQW7xAZ22yz6VoSYMFZoJ8lsPGKLpZnoHq86fa:RGSigm1lmbaBp7O6qSYCiNPhzHa

Score
10/10
ragnarokevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!!ReadMe_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note
It's not late to say happy new year right? but how didn't i bring a gift as the first time we met :) #what happend to your files? Unfortunately your files are encrypted with rsa4096 and aes encryption,you won't decrypt your files without our tool but don't worry,you can follow the instructions to decrypt your files 1.obviously you need a decrypt tool so that you can decrypt all of your files 2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay 3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID 4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus 5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid 6.it's wise to pay as soon as possible it wont make you more losses the ransome: 1 btcoin for per machine,5 bitcoins for all machines how to buy bitcoin and transfer? i think you are very good at googlesearch [email protected] [email protected] [email protected] Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted YOUR DEVICE ID: =AALsY1ULRUUXh1TsMjQ3EDN4QTQ3MzQ0gTQxYDNxETNEJjM2IDM3UkN4QkMDVUM0EkNChTMEF0NFZ0MykTOzMkQBNENygjQ2QTOGRDNEZjN2gTQFZTN3cTRCRDM2kDRzETMCZ0NCFTOFNTO2IUQxYEN5EDNBFzMzU0Q2gzQxQkRxU0NCJEO1EERBJjRGVTR2gzMxEUOFJjQDN0NDhjQCZ0NzIDREV0MBVEMBN0MDNUOxETO4QjNERUMxM0Q0MTQ4cTNBVkQzkTQ2ATOyYTN5gzQCNDOxMkNBZDO5ETM3U0NDRTO2gDR3EkQwcDNGJjN4IDOGNkQFZUQ4IDR1QERENkN2kTQwQjMGZkR4UUR2QDMFNUQzIENGNUMCZTR1kDRDJkNGJkM5IUO4MTMDdDRxYTQ3QUNEJkQ3IkR5IDR5gTMzkzNFdzQyEzMBNjQygzQyEkMwQTRyIUOGNUMEJkQ5YTM2IUQ3EUR4QzMDZEOENDRDFDRGZkMyQTQzMjQwcDRzEzQBZDN4QzM5EjQxQUQ4Q0MGNTMzIkQCdjMElDRzQkNzIDOzQDR0IUO5cDOCdzM5YkQ2EUNFJjNzYDO3QDNyATQ0EzM1kDMxM0QCFzQ3cDO3gDN0QjMEVkQGVzNDREN0Y0MDZTMBhTN1YTNzYjNDNzQCRUMDVDREdTN2IDMENTQ5UjR5UDN5QTM2I0N0QkN0IzN0YTQ2Q0Q3U0MCljR3YENyQENyATMyIjQ4UkN3MTQ1E0N4UTN0QTO5QTMxETQDFTQCVDOFNER5YDN3gzMxYURxMTM5IkRBRDRFJDNFN0MzIERzMzM4gjMzEkMyEUQ0QjNDlDO0ITMzMzN4QkNyATO0kzN2YkNyIkNzIzM4MUN4MTNBlDOwEUM3MTM1gzNwYTM4MEO4EDMzcjM0AjRBNURDJURzQTOzUjQ1QUO2gzN5EEOzcjMCF0MEhTQ1czQDdjN5AjM4QUQCZDN0M0M1ITR0kTN0YjQ1UDNCJUNFF0Q0AjR0YzN5kTQ1QDN5IEMCRjR3gDO0MDOEZDMCFERDVTR5IEO4gjMGNERFV0N5EDRGdTM4IDREFURBFkR2gTO5QDO2EkNGBTN3IUR4UkNBVENChzQzIzNyUDOBNkQDNEO2UUQ5gzQFdTO4cTOyITN2AjM4MjQ0YkNGlDR0QTM3IDNFRkRGJDODNTOEZ0M2IkN5EjMxIENEZkQDVUNEhTN5IDNFZUOzMkN4QDNCVkMEZEOCZUOCFkNFhjR0YTRzgzM4IUM5kjRCdzMBhTNCNDRBZkQFZUMzgTR4EDOygzQ1AjMDFDMFZkQ2EEMyEUO1kzQxgTQwEDR0YzM

Signatures

  • Ragnarok

    Ransomware family deployed from Citrix servers infected via CVE-2019-19781.

    ransomwareragnarok
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (187) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 25 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\since1969.exe
    "C:\Users\Admin\AppData\Local\Temp\since1969.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4660
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:2956
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2144
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3772
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!ReadMe_To_Decrypt_My_Files.txt
    1⤵
      PID:4900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\!!ReadMe_To_Decrypt_My_Files.txt
      Filesize

      2KB

      MD5

      73c53961cf78717b53c202185ac16689

      SHA1

      fd7ff71024022ff9b81ba78673cc1bfd921df09d

      SHA256

      8ebb07510fe88303955a0a41368242d7bf9c5c684439952d4f6485cbf819d4c9

      SHA512

      ab6f7aa4c5e15062d389590de0bccb04210ecd6330457fddf4eb92946a3bc46a5f8e9011a68f37a8fa229a623ddec3744dcbca81fa3d7267e9f6c70027223448

      Download Submit

    • C:\Users\Admin\Documents\!!ReadMe_To_Decrypt_My_Files.txt
      Filesize

      2KB

      MD5

      73c53961cf78717b53c202185ac16689

      SHA1

      fd7ff71024022ff9b81ba78673cc1bfd921df09d

      SHA256

      8ebb07510fe88303955a0a41368242d7bf9c5c684439952d4f6485cbf819d4c9

      SHA512

      ab6f7aa4c5e15062d389590de0bccb04210ecd6330457fddf4eb92946a3bc46a5f8e9011a68f37a8fa229a623ddec3744dcbca81fa3d7267e9f6c70027223448

      Download Submit