Analysis

  • max time kernel
    53s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 04:17

General

  • Target

    https://github.com/ThreatLabz/ransomware_notes

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\ransomware_notes-main.zip

Family

avaddon

Ransom Note
PK ������UBY������������� �ransomware_notes-main/UT����fPK ������UBY������������� �ransomware_notes-main/3am/UT����fPK �����UBY���@��Z ��+� �ransomware_notes-main/3am/RECOVER-FILES.txtUT����f�U�n�6��+&1�z �>���Cўz���聖(�k�Ԓ����w��d9�� aX�4���7C�MKp��o�e��b��% ������Q�X�B��9�F"�N�01��]5�1B�hq�f��'��h֖��y�k���m�R�Ɯ<e˹<}]�G�7rg��3����X�)�s����+!V���> ��?��Z�~���p���� �o�<U8M�����,t�La�� "�G���Y# �f|Chc�5c�#<}G`���@��F���G(Qs'�f�ڰ��\e @PΊǵyA2E����Β\�|I�`��v����m�+�����[����C���̚��H�j^�͝�k>]��t�b�ƃc��&����P:0����+��9 �������_����X���iC��M��r�,�� �����Ӕ��:"�V�/��f�}�f����{pΓ^*c���G��=|�+��Q�jh�u�C�A�S+�ߍ��ujmT��U T^�.��-}�FUq�������7��ޝ�:zg�0�V�<mey�����m�V��"���B��We�X��|�:]�"��*vނ|A߸Vy��To�&:p^ﴕB�Q��81��)ʫʬd���a���L '�s���Q!�dE�XD{�n�NM��u!��6:�D�8�!�o�\�.��M�l�R�K��z �̝�������2f��P�6� PN��DdMN8d� ���:m�3��� R�ZjO2�'ލ�0 �e���8P{���ƕh�U����-�ҖU��PD ��Sp䰶���Ԉ��+8��h0�C+}�x� wK���a�L���:tʖ���+��`�P8Z�zU�`���TKU��p���G2v��al�w}��킶*ɾ�zO�M)��5vh� :$���H��)r��"��a�li�����4Ԡ�ԕ������4XX-8�Ơ���6 �l3g�O�9�(�觤.��)���'���Q���p"k��Q4X������?o�;埋}���f�H]6믏���O�ɘ��ҷ��C��_�O!"�w۝�����:}���ب�8޸�ʒ�T�\��n�-�PK ������UBY������������� �ransomware_notes-main/8base/UT����fPK �����UBY��߃���~'��*� �ransomware_notes-main/8base/8base_note.htaUT����f�Z�o�J���+��P;#m�U:�I��t4�6�0`B��Q`��r\e�Y����ʐ�Gw���J+mZ�W�y��9����Ptٜ�T�3}4�����N���Y].�S)�J�\V����c,�*��,+e�I�esR�X4ʔ%��J.sOo���5 ?�����'x1���Y ���i�G.��y�֬��0��GN�� ������~ۯ�L�J�@T���a�!Mև�NC��-vJ����bh�n_Ն�) e��i���ZN8J��="aA�ď �h�ZK����o2"TH^ ����f� jV����j�����@㨔�.��9�V`������NJ���B�#�X`��dax����������>!� �B�f�E����~VD�)N�ş/�B+Y����ׁۣ��B�+Tk�Z�-g�LH�W����=���o�� ��K.�ɉ��8��+?��8�?ŖN�l�o%?�����1���z}|��HJE���#�c�u�h ��5�uy!�#'��ܼ�V�/�,�N�|#w����d��k�trR���&����Vy-�Y<?Z���k��9���E����Q��V����'�� :��6>à��,>`'��b� A��qע.�^�u�K��~&�הN�RFއ��ޜ�G��S�#����υ+B"�� p��e�A�Eћ����oȽ����!դZ����ip|p���w�'��3��h~_�j�}���j�ȅ҂��}�Ƅ��'�����"��^���`P)�f��}F��g ℟]z�N����%��n�;��=+���s4/jcy_����*�����N t�prr���&ηS�b֕By*���Oۢ���ſo듬r�] ����S�KxR�Ƕ$Kc� ����x�u���ݑ\�zm�,�WF�v���y� $i�aA��Ϯ {��S��[�vf<�px۟T�R��G�~���uT������HԔƲ��q����p2^��,�fF'�"~H�u|?!���hN��tb�;� �$|��s5\/n�j�g��P��*k�X��d�=u���C�0�2��N�t�LQ�;��m= *��C��f߽���t䞝�ζ��ca��[.�� N�j�p�PѪ�mԯLK[�m=�u�E�H���3��;��/=�2s�Vce��!��Z���m~Mz#����?�6KK��mF�m�㛊��͡��8�� 9U;˧3����Џ:-��ݫ�&�<��V9��=��6�* U{57���1.��C;A4[����ŃӘ�m���1�ԣۉm^�T��|Pi��e8���� K�$�)V#�����C�լQJh{�w��c��u�(^UfgY�n�I���O���"�f=�x\�R��BI����0 �w�8��e4��ǎn4X3�6k)�%[�ij%Ӻ�]H��;�a=�Ift��W�[+o�ګ5�,۶�R�� �ͬ��kH�E��6i�m{6���u{�e�1�ֽF�w�̔�lW��f�~l|�|Y�<�ϫ�5�%�Nw����f33��l�X���-�?*}��Y���ѯ}{͂�p0�q�!Uk5w���jm����,*w5�%����y��J���ﯞ��$���SHs����fbF��Uzy�f,�3�P�rV��w�<�����߭:�>���E�§m-d�m{�5�q�����#���V���ێBd�E��q���l�1i�R�<n��Iz�A��>>e�KIN�aFk�gc��w���������p�>y��iխJ����i����=e[�����q��+�+MzH�me��̕�V^�x1n�w�������"��'�q"�+}]����,ϛI=~d�qi?�Sl<���~9"#ŪH�r��)�q�%=�^��R�5In]*��v���ݲ�����6��QŐ͸=Ng�v�ެ��epy�P�t6;ٻ$����W��56g��*���aҙ�&���$��a�8�T�R>P�f��7��^Qs}5h�+�r��2��u/m�ql��L���cΙ1�k��1ZK���ՍJ6�+�A0�Vd��$�4($t�Jk(�P2�����)�5����ol%h`E��!� �e�V� �7No�3�i���wm�r�" s���<��S Կ ��3���bW�vrs������OP�YF����3�`�K�IϢȆ�9И�>��N�sNF�;V�x�B� ���x��0�}PG��B�벐��3ڛ�(CV�"9WL�M�Xr [0�G�rJ�'Hy#��th1�k�xA@"+�Q@(��� -���R�4,��o����ެ��\[�K���a���O5k�̝0p��W8r�(��0�lB��t��Ov#�^8!q�8̿R�-�����B��l��]M�eb�|Џ"�\c ��R�ˢ7��L������C�(ON�H)�T>B�L��ˢ�;�����SQG����6�"�@�9�d�?�����(��C3<7�٢Z�"U�LN���U�C�S��3��{YP��_ *㜇+IPH6��`� IaZV���UE�:~�A��Hw�He��0�C�L}��(�~"w M�� �E�(�#ibΑ�w̙4Q�Ho&BdȢ;de>����,X����P�l���[��~���A�H?0�����MME� �>A�0A ����F�6 B�g)p�����Z��>��� ��F�&)X����n *p��O0��� T%YS]�)F��I��JH}����CzG(hh�T�����A���R4�{�@=i4: ���`�}�#�(��L��1�Ϗ ��g��b|���a� ��9<;��� /@�Y<���� 8G v�Dxc�QD��~���,��"��)� c��!���A�/*��2�K- Ih̷�+R� 6(Ti�+Ғ�m$����A����K��]p��H��ڱ7� �EP�����C�0���gm@��W�B)��� �x)��� /$z-9�� ��^��Ad���uxQ��� �T��b�T:@��s��P@�/����u�T�a׷~= k�$�R*��*`�)�� �2������J��בu�P��= * א8)o��� %��ȋ$�Q�-�qG���I� z'�;��� c��}����Ȋ�Xt�����j�ц���r�Q�,��l��3��ǧ��x��o� �������~�|^t~[�� �����&�h��{�W ��Ш#SG����a��E�'�ΐ1�� ��_d�r~>����vt\t�~�x>��#���l����{�$�8�@w�Xa~�)�Q ���"h�dFHp\���n�����H!��9�V�Uy��S�l�����H\Жw��=|n�=m�:Tu������rcq �H |8 q<[��� �E�����U�� FB�B��BR����(����+� 0N���V5(�K�x�~U���g\X9^�w�;x��\��?(�����r��F�ah�TY3��^��P�����]ыqjR�mjH ^p�S9d{�X�e@�Z1}���}���d���?�8� �"�y}S �WP�y�@DS^Qh ��ZL�$YZ��;*�Gu���� [��6��x�����!��~1��nA��R!�>��MS^#ym��faizR�F;u���:*֡`���s�����W ���� ��[�%��xP��<`���윑��|`q�K����2��[�A����  Ȓ������gjD�s�Z��<�~.���{����9�� �a��u�j6�(� ,��ـ��ųƳ!����,��e� 306g�𷅶�[�p�x����F�L~�0c�k0��a����̡� >y7UT��� �L1�Z~p���^E�����u�����x3U\I��P�ȵD/�O�������(r+p�8�{����G�"�P����Wg��f�����ڪI��y�Ѫ �� �� 68���m�$Y�1e}hJ� �� 齽�Pc���%܏��B����~�̉�_WA����w�\G�U�� W��&�z�p��ˀ �<��,�7b_�hZ���K�O)o,����*ފ�����W�G��� �,5�)� T�c��[�?.������!^l�GCq)���ҋ��H��*G\?�}�f�@��7�����Q%�RzD􂫜�iC^(����퇫^����T�ݳ G���D�N�?��a \�����O���5s���aKr)���v�nL�k�����?����X�����=�۳����Q����Kܰ�7��h�hAujq�I����v俣8|��'6��a��Xr$���m+_T�Y�l8C��y�p?�1x[����������7PK �����UBY>M=�����*� �ransomware_notes-main/8base/8base_note.txtUT����f�X]o�6���ޭbM��E���n#̵�ZJ�\�ms�H��캿~��$�ɺ�����E>���G#� ��_�B(w���{ъ�uŸ��I�fn#-+��Xw¤�5W��{��=�z�0%�N�{&��p�L�� [m�eK!KuQ]H+���wS#�Ly�2�8�au.���5+� � *5�҉���د=��%��c\eL�|OQ@,(6)W,� Aq)�S�*�������� Vp����+ �ڳ\[ �t�V�O����{3%�b�t�}��q�|����[QJ���"�����pi�.�p����?�n����-�F�j��_�NK��6{��%"k� v��J����bo⭐덣S^6������%�c�a6��n��G�,N�U2����e4���W��.x�ƣ(�e��8f�)������B��>Ab�=e\V�-]Q��"|~�TWy�F����ا>����Rz��L�¦��d��X�,J��\�"`�g��&&���h1��Er��ه�6\����}Be��-��I���Y�r;���P�<��-�?��=x�zD@;0�|,���3_�$�����l1����?����R��m' c���g����޵e� ��K]9{'l��LS,�G��40�] �z����>� ���埛�9���N6�}> �a�]f|��(��7��St��얍�U_̮���n9�K+�d���^�1�V # A��- `����2��a�J�G?��o(#�GH_oH�b��>�Vd�q��)]��� d����7� �K#�ș���a���1 2�[�r����� f����� ���&u���5��8��3TH광�M���N�ZO��Jԕ�M6| �s��=*n�r�3ă�M�慮�����d�=��Z�6�;����T�UIa����}/ @�g(�P.(��>�s�0]l�Y��9�I�����9�܄��1`/ ��uN��q2'��/��fb��CN��"M�� �� i m ���������.nmW������������U*��e�c��h,�j�eJN�4�<ybq�iEU+\��4���T#~��T8EY�*��*C��n'a����UIy��U}�J����� (�g,��bM�8a��* � ��봫]�Ʒ-��.��׽���Q�ݐz�T�;��A��JQ�Cu��(D���y��E���G����}��{us�$ �o!�k#�W��LЄ$�;O]�˯�3 N�����-�J�� ���m��Ԃ^ �w����E}N@�s%n�ǮnD^����O��a!�F�k���M-Yp�:ɻ���W��%7�%�爗q��h*P���g�Q�td!�F �� �~y�l>���c��*���q�wʜ��)���l�4�tmE�y8ڣyBV˶- ��XOH��Ԩő�)Ɗ��FQ�셑Ď���e*��B�[�[!�`R�Di��J~="�cVx���C�݋�<��Qy=.�o�⮣&���9�אt���).fmE�F�O�^]L?�qYek�|�����҈d�ߕλ������c�J�Q4�xh�F�N*4#�tX�%S�Dn�+�q!x�!&�kj�-�!{C�����c! $���(�Ok�3��ـ=�j�� Qn�3�p7�TN׵(<����jQ!!?��:�E%�CV�K��a �6�F���<�s��9��{5n��d����[�����Gۯ$����e�b_�ͱ��ZY���'t�7���y.%5�����a�G���4 �(Zzs@52�װT�g�Y�A��li�i?�@��T���QS��- ;�4 �^8 C踻V"�?+R�%z�V����O[)v�x�^�g�ap���.��c_%5,�L�ge �� F��y>�S���v��j� �n�X��gI��M ����]�o� �<�uL%���ᩝ�H���c{�����Jc\�)da]F�(���.P���-���Zϐ�,����APR��tdG,���)��,^ ��-G�i��~��6��]���G�e Ḃ��yk��g��'���1I�N�t:<:�4�͜��g�;����PK �����UBY`.(+z��3��� �ransomware_notes-main/LICENSEUT����f]R[o�0~��8�S+E��ǽ��k��1e��$�x 1��P��wN��: )��|�C!5䮵c�����:�C��}���OO�3�f��~�&�f����NG��#����������Oւ�Cۛ�`��� ';\��h���h���d�&�}����p&�:�x���|�c4���n��co᮹m�=�$�5s#P��{�0�'�Fnl�sG�ڃ;�������HgG߹=}�l�t� .� t��w���@�9̄||�; ꞽ~��gH�����U.�?~v�۟�)���y�lf�e�H��a�����s�(|cLc���o;{��x��^%�NW��Bo�v��b��;ч��wf���f��m>"�J@S-��+��ZU/2���w l�^Uk 8�x��P-��[�.�,��V�i�RLu.�d���L�ϰ������,�FP]ޠ�h�*]��/d.�6aK�K�\V 8�\i��s��^��j�g[�r��E�ԏȊ5/��f����_�zE� �ꭒ�+ �*���E.�Th*͹,�x��żU!�b4vU����q��ZV%�H�R+|&�R��ՍlD\ɆY��Hʼn� �{���P���"8B�u#�!<G�������#� PK �����UBY�"�\��������� �ransomware_notes-main/README.mdUT����fE�1 �@ ���l�N��� ��!=R���H�z�_��*� ���������Q�l�ε!*�C��y�<��F�<)�f�����^��kR�r�RV8C1�N��I�S��v�c�^�Ե���<�?8wN�l�_�9W�zL�jW��J~�h�����PK ������UBY������������"� �ransomware_notes-main/abysslocker/UT����fPK �����UBY)�$���?��2� �ransomware_notes-main/abysslocker/WhatHappened.txtUT����fmUMo�F ��W�V,�:�|�@n�=( ��XE#��&�(�+�������#E�5b8�H>�����d"S��>U��a��=�HuF�g����Q�S�1qC�74�Sc���U̞$��H���|��Bh��$Ԇ����}�@_��x��X�������2K�᠎��Q+�

Extracted

Path

C:\Users\Admin\Downloads\ransomware_notes-main\stop\stop.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-V2fE396VPW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: [snip]
URLs

https://we.tl/t-V2fE396VPW

Extracted

Path

C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\!_^_README_NOTES_RAGNAR_^_!.txt

Ransom Note
******************************************************************************************************************** HELLO [snip] ! If you reading this message, it means your network was PENETRATED and your most sensitive files were COMPROMISED ------------------------------------------------- | | | by R A G N A R L O C K E R ! | | | ------------------------------------------------- ******************************************************************************************************************** [ YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL ] (contact information you will find at the bottom of this notes) **** WARNING **** DO NOT Hire any third-party negotiators (recovery/FBI/police and etc), otherwise we will close chat immediately and Publish your Data. --------------------------------------------------------------------------------------------------------------------------------------- ----[WHAT'S HAPPENED] With this message we want to let you know that we has obtained access everywhere in your network and we was able to encrypt your files and servers. However, we didn't do that only because of willing to avoid interruption in hospitals normal business processes and don't put health of the patients under risk. But unfortunately, you has allowed data leak, about 1TB of personal data was compromised. So, your clients didn't get the required protection. Tottally we has DOWNLOADED about 1TB of your CONFIDENTIAL and most SENSITIVE Data just in case if you will NOT PAY, if so, than everything will be PUBLISHED in Media and/or SOLD to any third-party. WE HAS COLLECTED SUCH DATA AS: - Medical record, medical history, Information regarding diagnoses and surgeries - Clients personal info: Relatives/Address/DOB/email/phones and etc., Private letters and correspondence - Departments: Oncology, Pediatrics, Surgery, Urology, Oculist, Cardiology, Gynecology and others - Financial reports, Revenue, Budgets, Payrolls, Expenses, Bank statements - Databases, Credentials, access to emails and accounts, Passwords, Workfiles - And many other sensitive data... ----[WHAT SHOULD YOU DO] - You have to contact us as soon as possible (you can find contacts below) - You should make a Deal with us, to avoid LEAK of your Sensitive Data - You should avoid any scammers using our name in different communication ways. We communicate only via LIVE CHAT - You should avoid any third-party negotiators and recovery groups ----[YOUR OPTIONS] 1) IF NO CONTACT OR DEAL MADE IN 3 DAYS: All your Data will be Published and/or Sold to any third-parties Information regarding vulnerabilities of your network also can be published and/or sold Such Leakage will have disastrous consequences to your business reputation. 2) If WE MAKE A DEAL: We will remove all your files from our file-storage with proof of Deletion We will permanently delete post with your company name We guarantee to avoid sharing any details with third-parties We will provide you with the penetration report and list of security-recommendations [Here are couple of screenshots just as a proofs of Data possession, you can find more in our Leak Blog] Screenshots: https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] ------------------------------------------------------------------------------------------------------------- LEAK BLOG ACCESS: This temporary post stays hidden only during 3(three) days until we make a Deal. If the Deal not made, Post would be supplemented and become permanent and accessible for everyone! LEAK BLOG: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip] Password: [snip] (use Tor Browser to open the link) ====================================================================== [ HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Download and install TOR browser from this site : https://torproject.org 2) For contact us via LIVE CHAT open our website : http://ragnarmj3hlykxstyanwtgf33eyacccleg45ctygkuw7dkgysict6xyd.onion/client/?[snip] 3) To visit TEMPORARY LEAK PAGE with your data on our Leaks Blog open this website: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip] password: [snip] 4) If Tor is restricted in your area, use VPN 5) All your Data will be published in 3(three) Days if NO contact made 6) Information regarding vulnerabilities in your network will be Sold or Published 7) Your Data will be published if you will hire third-party negotiators to contact us *We advise you to find some information about us in google Also check the tab "About Us" in our Blog (http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us)
URLs

https://prnt.sc/[snip]

http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]

http://ragnarmj3hlykxstyanwtgf33eyacccleg45ctygkuw7dkgysict6xyd.onion/client/?[snip]

http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us

Extracted

Path

C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\ragnarlocker1.txt

Ransom Note
*************************************************************************************************************** HELLO [snip] ! If you reading this message, it means your network was PENETRATED and all of your files and data has been ENCRYPTED ------------------------------------------------- | | | by R A G N A R L O C K E R ! | | | ------------------------------------------------- *************************************************************************************************************** [ YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL ] (contact information you will find at the bottom of this notes) **** WARNING **** DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files --------------------------------------------------------------------- ----[WHAT'S HAPPENED] Your security perimeter was BREACHED and all files on your critically important servers and hosts were completely ENCRYPTED. Also we has DOWNLOADED about 500GB of your's most SENSITIVE Data just in case if you will NOT PAY, than everything will be PUBLISHED in Media and/or SOLD to any third-party. We have collected the most important info such as: -Accounting files, Financial Reports, Banking and Billing statements, HR documents, Payrolls, AFIP/ASIF databases -Logistics Files, SQL Databases, ID cards, DL's, Transport Documents, Certificates of Transport Ministry, Phonebooks -Confidential Agreements, Corporate Contracts, WorkFiles, Clients Information, License Keys, Surveillance cameras video -Also we have your Private emails in .msg and .pst files and a lot of other Sensitive info. ----[WHAT SHOULD YOU DO] - You have to contact us as soon as possible(you can find contacts below), we are offering discounts for quick deals so price can be better if you will respect our time. - You should purchase our decryption tool, so will be able to restore your files. Without our Decryption keys it's impossible. - You should make a Deal with us, to avoid your Data leakage. - You should stay away from any third-parties recovery soft, since it could damage files. - You should avoid any scammers using our name in different communication ways. We communicate only via LIVE CHAT ----[YOUR OPTIONS] #1 If NO contact or Deal made in 3(three) Days than all your Data will be Published and/or Sold to any third-parties, Decryption key will be deleted permanently and recovery will be impossible. Also this would be disastrous consequences to your's business reputation. #2 If we make a Deal: We will provide you with the Decryption Key and Manual how-to-use. We will remove all your files from our file-storage with proof of Deletion and delete posts regarding your company with Guarantee to avoid any Data Leaks to public or to any third-parties. Also we will help you to improve the security measures and provide you with the technical report and list of security-recommendations. ---- [There are couple of screenshots just as a proofs of data possession, you can find more in our Leak Blog] Screenshots: https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] https://prnt.sc/[snip] --------------------------------------------------------------------- Leak Blog Access: This temporary post stays hidden only during 4(four) days until we make a Deal. Later, if we don't make a Deal it would be supplemented and become permanent and accessible for everyone. Leak Blog: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip] Password: [snip] (use Tor Browser to open the link) ====================================================================== [ HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://ragnarjtm25k3w4cy6kvfttfhm24mpynikjt7yll5pvpfo4a7yuzweyd.onion/client/?[snip] c) To visit TEMPORARY LEAK PAGE with your data on our News Blog, open this website: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip] password: [snip] d) If Tor is restricted in your area, use VPN e) All your Data will be published in 4(four) Days if NO contact made f) Your Decryption keys will be permanently destroyed in 4(four) Days if no contact made When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send message to us and wait for response (we are not online 24/7, So you have to wait for your turn). *We advise you to find some information about us in google and also check the tab "About Us" in our Blog (http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us) *********************************************************************************** ---A PRIVATE KEY--- [snip] ---Z PRIVATE KEY--- ***********************************************************************************
URLs

https://prnt.sc/[snip]

http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]

http://ragnarjtm25k3w4cy6kvfttfhm24mpynikjt7yll5pvpfo4a7yuzweyd.onion/client/?[snip]

http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Azov

    A wiper seeking only damage, first seen in 2022.

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Maze

    Ransomware family also known as ChaCha.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ThreatLabz/ransomware_notes
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff26d146f8,0x7fff26d14708,0x7fff26d14718
      2⤵
        PID:4292
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        2⤵
          PID:1936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1488
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
          2⤵
            PID:1604
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
            2⤵
              PID:4560
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
              2⤵
                PID:1920
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
                2⤵
                  PID:2468
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2868
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
                  2⤵
                    PID:4772
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                    2⤵
                      PID:2840
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3568
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
                      2⤵
                        PID:4988
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
                        2⤵
                          PID:3552
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
                          2⤵
                            PID:372
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
                            2⤵
                              PID:2724
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4564
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1740
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5364
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ransomware_notes-main\" -spe -an -ai#7zMap18184:104:7zEvent31844
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:5492
                                • C:\Windows\system32\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\stop\stop.txt
                                  1⤵
                                    PID:4212
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\!_^_README_NOTES_RAGNAR_^_!.txt
                                    1⤵
                                      PID:5660
                                    • C:\Windows\system32\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\ragnarlocker1.txt
                                      1⤵
                                        PID:5812

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        7006aacd11b992cd29fca21e619e86ea

                                        SHA1

                                        f224b726a114d4c73d7379236739d5fbb8e7f7b7

                                        SHA256

                                        3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

                                        SHA512

                                        6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        b80cf20d9e8cf6a579981bfaab1bdce2

                                        SHA1

                                        171a886be3a882bd04206295ce7f1db5b8b7035e

                                        SHA256

                                        10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

                                        SHA512

                                        0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                        Filesize

                                        1KB

                                        MD5

                                        d0f32bbade3a60816721747adf749844

                                        SHA1

                                        6216d9faa250c24031a389ada572609cc791dbb4

                                        SHA256

                                        186f3b86d904f1ee22879da7590e3e9b28c4733b4d56b559193580b8dcf85e7c

                                        SHA512

                                        e71381927ea7ae8513281d0cfd4c603c4f59555724120df2e79e765c53a9220c4de4219e5f1ee6565ce8c2f7ea776b85dee9ac9a012b766dabae0c51e80ea07b

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        2bc87bbe4ac07df95144c3fc4a292ad2

                                        SHA1

                                        b9a8e8bf9491e851c1092b154b14ca4a4136028c

                                        SHA256

                                        492bfdb55846def947cf184f07c91f064f2f41b94cd4588880b630930948bbb3

                                        SHA512

                                        98380c914f33e637cb9aee556c6a7cacd3b58eb560371bf8ecde185d3ead3673b083357ba424ab1944ac08c7ebfde671850101d6658ac1556911400fca3cc840

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        12c0ceece17cea6e2702890fb65f2108

                                        SHA1

                                        e35c5a402c25213847b42dc62c1070e57fd0e6ab

                                        SHA256

                                        d9750d32111bbea304ae3fcad1604fd7d81d51fd18c3f2204a56b023ef9d8a52

                                        SHA512

                                        af6cdfbbdce836d62fde8208bc2ee06f6e9bfeaf309f6a61c67671b7e8965a86cc2e18852aff86437d358a20a7fd7daeb85deffe019fd82761e85a19137d1e25

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                        Filesize

                                        1KB

                                        MD5

                                        5075e4466019fd7523453ca1104c8eb4

                                        SHA1

                                        4702b445ce3eb19d06758228f91ea07d4086c1f0

                                        SHA256

                                        8c9e34bfad2288cedd0f4c422e1d72cce86fc61f7acd980ffe5a5e4327bc4aea

                                        SHA512

                                        ffc95b044a37e4a76bed5fd74269d612142186f47b7e06acf402857b277d37fa8c1693846d13d99426fc8622b3adeb866c1cf059a060dacc890ffffe70613a80

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e918.TMP

                                        Filesize

                                        1KB

                                        MD5

                                        1533f16376cf89f6bd51dcf0ce753bf4

                                        SHA1

                                        fe9bf9ada77a59d1ac5403260687b4c0a7ca37e3

                                        SHA256

                                        50902ad694bf6169a3160427638d2d9a3e6e45eee232d1e47e22a1fe99bd9461

                                        SHA512

                                        7c2396be049b788b88f9109620e2c3a91b3bcd2c9b5c84e1a17bfcae4be981e0fb0d4a71061f17e133bb73dc1cdcb21b12bc7ed3f58702a4589ceff06d3b1ef3

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        10KB

                                        MD5

                                        40d01ac64b37484a56a9caade639870b

                                        SHA1

                                        0614b60bbd7d192046c5aad6709b914a2941e5ca

                                        SHA256

                                        8c911010c31abb9e181202f6b9ffe5a0f76bb2c31a28930b36a700f01c7fa0eb

                                        SHA512

                                        4505748cdff66cb3100e6e1b3771d03fd2ada0c3be3768c95542ce7f3254e885646221557954d339f54815695d59ff4a99fc92b4c9b8c6a5dbdaab25b07a0a8c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        10KB

                                        MD5

                                        0125e01d1b38a881d46eb60e1df828c3

                                        SHA1

                                        91deb9005ef3c48e759a40f93f23029abcb2d161

                                        SHA256

                                        1994b9fc98b2b24c391aa2048b338092fdc2d2c02a2b617e76a3fabdaa27d92f

                                        SHA512

                                        9ca433342f3f2bf4ca7f88f487aa6f976e87cdca8004c3f38875372f75b01ad6fef98be7b12947ccf1b2e28d1b27c9e0fed3cc4ede0de63586ca261ad4922218

                                      • C:\Users\Admin\Downloads\ransomware_notes-main.zip

                                        Filesize

                                        758KB

                                        MD5

                                        9ae2249c8e85edd83136b0f9a408df45

                                        SHA1

                                        52e972592b883f16378b8597fb5e588b51518b69

                                        SHA256

                                        8a8ef0bd7f5ecba1e8a32d0aa1dc97722caac357b5d9d886e0ef0bb1396e6eff

                                        SHA512

                                        e3fc4691d6fcd5fc95cd656466a81a54b8e8cbc5312adb5385c877047941c469b28dec32cf998c5b5454199aa283ea5a0b13932c11434834d551113d64eca248

                                      • C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\!_^_README_NOTES_RAGNAR_^_!.txt

                                        Filesize

                                        5KB

                                        MD5

                                        1c9c984854180991c4d95492b386a91d

                                        SHA1

                                        99888c9ffbadf0efdd03f2e628c2adcfe0a56f50

                                        SHA256

                                        8c90c6796e632829c215d017b71c4d7c6311f6cc8580a9409165a7ce3156f423

                                        SHA512

                                        0a739fe83cceb82f45213dcb14a0f49b06d26bfd986e0013ea4c35d64113a9c0a05b60bf7ba41d2631c757b88b6425c5b374fdb8edbd6d11595ad5e16b39ec3e

                                      • C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\ragnarlocker1.txt

                                        Filesize

                                        5KB

                                        MD5

                                        f2fda3f7fde7b2bad1af02523bf12878

                                        SHA1

                                        48736310cf9609e8a8d8dd1dddc3d8e59d441944

                                        SHA256

                                        2fee36d0468509804142969f6ee2f5e37f9cb17427bd7e5a6d437e2a4bbf6a9e

                                        SHA512

                                        aa737b6408f9265f31fd6c0af8f49e42969a5c0ac0f32a6ece10f53fcb5cabc8e2d108361efbf7e285a870add73b800f309759363053095885c5a4286b50f0b8

                                      • C:\Users\Admin\Downloads\ransomware_notes-main\stop\stop.txt

                                        Filesize

                                        1KB

                                        MD5

                                        4df17dc9d6d6f2879e8aeb6bf16f2eb2

                                        SHA1

                                        bf4a4b5ab68ce7122f02cce3b5e6234476295d99

                                        SHA256

                                        a27cb1e12ad18e43d593d55075416ff571a8a74b22fe84abfa283a0ee5dbef60

                                        SHA512

                                        3ceb545b9668b1404580130c9d98a76524a85d7d1e65eee4538d272140301f09fe361a6a54f40c2dea4be8f760b19af51b2e10c900cc720a8ca8559327a8efac