General

  • Target

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

  • Size

    169KB

  • Sample

    231012-pr56lscd54

  • MD5

    98562209465bec53327e65649a2b8829

  • SHA1

    3a47656ed3df213bd934aa01078a863568fe9f2b

  • SHA256

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

  • SHA512

    c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

  • SSDEEP

    3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!!Read_Me.389A7.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected]<br>[email protected]<br><br>Device ID:<br> AAwX4IjLw4yNyEjLwEDLHRUVO1EUHtELwUUQzEUN5cjMDRTMFZzQ5IDR1UjMxQTR3I0M0ETM0kDMEVTOFV0M3IkQBlzQDNkQykTOEZTQERzQBlzQ0MkQ0QjMGhzMCljM0IkMDVzMFVUN3YzN5kDO3UkM1UkR4UEO3ITM2czMDlzQ1IEMyYjN0UTO3IDNGZUR4cTQEZkR2MUQEVkMBFkN5IjR1AzMCdjQBZUMFBDOwYjQxU0MycTMGhjMCFjMzUEM1kzN2MUNDljM2IERDFzN5QDO0I0M5IUO0gDNCZzN4gzN1MTNxYURyIkREhTOEBjQxMjN2kDN5cjQyIjNDZERBZDNCVEN1gDRxADNzcDMCZENwUUN3YjNDFTO4QTR2UURBNUQENENwEUM4cjNFNjMxgTNzM0NxYkM2IkRyYjR3cTQDVERwMjNGNUMFF0MBNDRFJTMFZDO3EkR4U0N4IkQ4QDRCJzQ4UUQ4QTMDZENGdjMEZTRDNENBFTQ5AjN0YURBN0QGFkR1UDNGhTO0ITNBJTNERTQEBTNCRTM2QTQEFzN2E0MykTNEFjQCNEM4IzNxYzQ3UkQBFjQxMTM0kTNzQkNGZER3MzMxQUNGlTMGN0N4QkN1UDO5ETR3YjMCFDMxYzN5I0NwYUM2YkQCZUNBVkNzEUMEFzNwEDOGNTO2IjMyMzQCNUO1gzNFFkR0EkMxITM5ITR0MENEdTQDNURxMEM3Y0MxgzM5MUMEdjRxI0MwYjRCRkNGhDN4EDO5IUOzYUQxMjNzYkNFR0QBdTNCZUMBhTNyEjQ0IUN5gjRyEEM0QzQBRDMzUjNGFkQ2Y0MyIDMyUUR3UEO5UDOCFjNzQzM0MTMBV0Q1kTN4kTRwgTOGNUNFZTN1QkN1UkM0QkN5QkN0ETN3IkM0UURDRTMBV0QBdDN5cDM1kjN2UTQFlDNCR0N4QjQycjQ5YkRzITOFNUM5EEO5EENBhjMFZ0Q4M0QCFTOCdTNxYkR2YUM0UTQCREO0MEN1QzN4MTNykTQDNDN3cTQ5cDMDZEMDJTQ4UEMGdzNzEUNzgzMDFUR2ATN1Q0M2QjQ5EDR3IEO2EDR5gTM4ADOzEEMCREODRkQ0kTM0YzQ0U0NFhzQ1QERCJkMBBzQChjMyEEMCJUN3QkRElDN3MDNBhDRFRjQ1MzMykDO5QTRDZ0MBBjNwQzNChDO0UzMzYTO1EEM2gzQFRDNFZjMFFEN1UUNGVjM1QUNFNEO3MTQ0YUMzYUMyUkQ4IzM2IjM0MDREFzM2UEMGhTO0kzN0kTM4YDRwMjRCZENFVTMyUEODN0N3QENzEUMyIkNxgTO0EDNBljQFdTQ2QUR2UEODFjN5YDRzADOCJTQxUzM1ATNzMTN4YkR1UkRFRzN3IjQDJkQwwyM0kzMEdDNxYDM2EEMzUkQGdzM1YERzYENEhjREJDMCZTRDRkNEdDNGNkQClTOycDRFlDRENkNEF0QDBTQ0UzQ1IURCNEM5EER1MURFJER5AzNFF0N3MUM1ITQ1UTQyYDNENDNBJzMGRDM1MjM3QEN2cDM5EUOzYzQGdDNwI0QwU0Q4YDODRjNCZUO1kDMBNUM1IkRxIzM4YzN1IERxUTN2EUNEV0QClzQDRDRGFkQ3kTN4kDNGZzM0UUN5QkR5MjQ4ADNGJTNGBzQxgjQERDMEdTM4IUM5QERzkzQxQ0N0IUQ4Q0MxYDRClzNBRDRBVTRxgDM5cjR4kDOwQUNGJEN4UUQ4QTNzYEO2MEM3YUM2QTNyMjRGdzNFNTQGdjQyQURBZUQFlzQERUO0UkQwkjN1QENwcTQ1UEOzUDRDdzM4gjQ0ETRGdzNzUUMBZDR4MjQCFjNDZzNyI0N3YEOwQENwYDMDhDM3YEODNUO1ADRzYkM0YEO2ETOykjN2MUMENUM0QUR2YjQDZTOEFDMDNkN1YzN0cTO4UDR0EjNxATQGR0N5Q0QEVEN4MDO3EkM0QUNFVzM2czM3MkMCVjNGREO5YUNGFjQwgjN1cTMBhzN1MkQxEEMxkDNyITR1MTOwMjNDNzMCFUNFZUNwYERyQjR3YEMGJzM1EjRGZERwEUMxMjQEVkMyQEREVjRzITM4EkRENkQyYzMzYzM4IEOGRTN1YkN0IkRENkR1cTQ0IEM5czN0MUQ3EjQ5UDRCNERxQzQwEkM0gTQFFEOwQEOzU0QCR0NxYjQEFTQygTM4UjM2QjRFVjQ4QjM2QTOBZTRwkDMBJUR5QUOENkRCZ0QEZTM5QTMxUTRBZTOCV0MChDN0EkM4UkM0MjMEBzMBhzQyUkN1ITMyMTNzMTOwkjMzU0MwMkQEVjNGVjNEN0M4YUR3EjQCdzQGFUQwITQ1QEM3UUM1MDRBRDMwEkNzEUN1YTO0MUOzETN4QDM5MDOxITQ0MjQDNkQxUEM2YjNDhTNyEEM2QTO5gTM3EUOChDODZUQDNEO2cjQyUjR4Q0NwQTOGVkM0IDN4IkNFR0QDF0NwQjRBlzMwYkNwcjQwQEM5IzM4cTN1IUNERTM0UTN5EkMzATOyYDM0AjM0UjM5AjR2IkNFZTOBJDN2QTOBJER5EDOERTQCJUOxI0Q0YUMGRERyEEN5IkRwkDN1ATNCVUOBNkQEhjNBdTNFFEO3EDRDRDM0IjRBREM2MERCFEO3ATO5cDMzQjNxYTNwMkN4YjNzMDMERTQyEzQDFEMxYTNDRDM1EUQFV0NzQEOGFzMElzQ3YjN0IUQ0E0MzYzQGhjNDNjM5cTMwEEM0QTNwEkR3UjM
Emails

[email protected]<br><br>

e-mail:<br>[email protected]<br>[email protected]<br><br>Device

Extracted

Path

C:\Users\Admin\Music\!!Read_Me.F1387.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected]<br>[email protected]<br><br>Device ID:<br> ==AAA8lM3EjLw4yNyEjLwEDLBd1QQRVVE1ELFRzQGJTRBVTM1YkQ5ITQ1IjRwQUO5UkN2MjM4QDO2E0Q2YjNDBTQDZDOwYzMxEUN3UkRDZDR5YjQ4gDNzEDO4IDOEJDR3QkNzYUM3QzMxYTMzIkNBBzMzYTQEZzNFJ0N0EjQ4UEMEBTN1EkNwUDMFFENCNENyMkMyUUOFF0N1UTMzQEM1kzMEJEOCZzNDdzQxYDO1MDMyIzMDNURxEkMFVkN2YjNBhzQCFDO0UUODFTQDhDOCljN5EjM5YUMzEDR2gDOzkjR5EENEZDR0czQEREM5YzQCRTQElTNGNTR2QjN0I0QwcDM1UTMCFEN1E0QFFjQ2E0Q1MDM4AzNEdjMCRjQ5ATQ3kDM3YTN3IkNDdzN2QDNFNTRzcDNwgDMFhTREZDRwETMGNEO5IDN5gjNzYjR0UTMBZkMDRTM0IUO2QzM5cTN4MjRwIjNwM0NyUkR3YTQ4YTOEZ0NFFERGNTMGFUR0IUMEdzNDJkM4UzNCZENDNjMzYEODVER3UEN0UzNyEENBZzQ1UkR5IjN3EjR5QUODNUQCJkN0ITOwIER3cTN1IDNGhzMwQjMGZzMyY0M5QUMBljMCVUODRzQBZjMzYkM5QEN2YEN2kjQ0QTM4cDO2YkRxMUOGJjRwkTQDNUQCVERFZzMBNUO5MjM3EUO5QkQygTM5QER1I0MBVzN3ITOyMUQygzNzUUODJ0QGhTO1gjQBZkMzMUMBZ0QGZjMzM0Q2YTQFhzNzYjMBJkQ1AjN4EUMEJTQxETRBRkM4ADM0gTOCRTO4EjR5YjQ5cTNyATR4AjQwIkQxkTNBNURwIER1UDO1QTM4EkMwYEMDVEREdjQyYDOFZTM1IUNGJDM1UURDZDR2gTMCNURwUzQBJTMFVDMzYTN3MERzUjR3MDMDVDM1IkRCRUQ1kTN5UkQwUUQyQ0N4EkRFVzMGNTOxQzQ5MjQwUTOGRkMENDOxIkQBdDMGRjNxYDNzYjMzEUNyQEM3QUR0MTN1QURzM0Q1ITNzMUO1MTOGN0NDJEM0UkRDZTQwITOyADR0E0N0UUQ4UzQ1AjRFljQ2IUM2gTN2YjRykjNBJkRxYTQBZ0NyI0N1QzNEdzQzQ0QBRTQ1QENzQjNykTM1MDR3MjRzgzM5czQ5MDRzkjQ4QDOFJTN4U0QEVkN5gTQFdTNDJDNwADN0AjR2ATMBF0NyEUQ1IkN2cTRDlDM2UzN2EENFBjNFhDOCVkM1MUN4YzQwgDO5kTM1MUODVENBhTR0YjM4M0NBRDMDJ0QBZjM0IUR1czM3IjNxYDR4ETRxcDN2ETQ0QDN3MUQFFDN1UERxIzQDRTR5MEOyQjQ2UUMBRDNFZTMyEkM2MkN0MjM0U0MzIzQ2MTM4wSO3MDMDlzMzQkM3UkRGRjNFVUNyYkQwIUOGJkMDhzM2MTN0YTNFVEMxQTMCJzNBVTQDNTNBFjQGFERBFjMDlTRxMjMyIjNxEERxATRDFER5UUREdTOCFjMFdDOzIjM5QER5QjMxkzQBlDOFJTO0YUMFZkNERTMzgjQCVDMzkzQDFkNDdjM2kTOxEEM2kjQ5gjN1MDNyMzN0YDOyMjNCBTQ3kDO3MDMCFTM3UjRFdDN4YTNzMkMwgjQEBjQ1gTNzcDNzIzNwAjRFZTQGFjRBFzQCZDN2UEMwYEMxIjR3UURxgDNCJzNDJzN4QUNzAjQBRkMBZTQ1EjMFBDOzkDOBZkMyEUNDJTOzMDOFVkMzYTQ2MkQ2EURBdjRxQjQGljRCljRDNUN3ETO5MERxIkRykjQxkTQzMkMDVUQ1MzQ5IDN3QkM2ATM0YkQEFTNBJkMBlzN3UkMzQ0QzczMCJENFNERCV0M3MjR5gjN3Y0N1Q0M3YkNEljR1YUNzQTRDhDMyIDNzIDM5QDM0MUQ3MTOBVERCRkNBFEODlDNyMDO0IjQ5MkNDZDRGNTO3ITR5MzNBRTMBZkQ4ITQ1Y0MFlTM1YjQDVTQ5gTNBlTRwITQ4EDN1EEMwIDN0kDO0IjN1MkNzgzMCJDRyQUM2UDRCRUOyI0QENjRDVzQ4ETRBVDN0YkN5MUNxEDM1M0N5QzMEFjQDFERyYTN5EUOGZUOFRkR4kjN0YDNyMjRxMkQ3gjQ4gDR2ADMyMENENEMDRTN2kjRwM0MEZDR5ATRDBDM2ATQwATR3MTRxcDN1MUQFVUQBVUM1E0MxQUQ1ATR2YDR4IjN2UTR1YzMxUEN4YEOCREMGhTQFJjQDRkQEJzNEZjR2cjQFFTOFNjR3kjMEljNCRTOFF0NBZkNwEkMwEzMwYTM1QTQyUUM3kTQFJzM2YEMGFUM1IjNyITRFJjREVzQDdzMDZTMDdTM2QzNCNEMxQkMFVDN1czMGZ0QygDNCJjM2QkR2YDM0QjRxQ0QGRUMEdjQCRkRBJUR4UkNGVzMEJENxgDOzUUQBJkN1czMDlTMxgzNxUjMFVTOCNDREFDREdTR0IEMyMzMGVDOykTO3IjNFZjRyQTR2UzNwAzM4EUODFER2kDMEhDR1YUQCFjNFNEM5EUOzITRBFDO1YzNwUjM4E0MFZTRzYjQwM0N1ADOFNTQGJTOGZUQyQzQ4YjM5ATQCdjR0IDNFlDN2YUNykzN1ITR5IjM5MDNDhzM1gTO4QjQxkTO2YzQ0gjRBJjNCNzQxYER0Q0NygjRBJ0Q2QTQzQTQ5QERzEzMDBjMFJzQ2ITNEhzQ5kDRxEDM5YzQ0UUO5AjRDRER5YzMzUUMBV0QzM0M
Emails

[email protected]<br><br>

e-mail:<br>[email protected]<br>[email protected]<br><br>Device

Targets

    • Target

      b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

    • Size

      169KB

    • MD5

      98562209465bec53327e65649a2b8829

    • SHA1

      3a47656ed3df213bd934aa01078a863568fe9f2b

    • SHA256

      b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

    • SHA512

      c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

    • SSDEEP

      3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (132) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (158) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies Windows Firewall

    • Deletes itself

MITRE ATT&CK Enterprise v15

Tasks