Analysis
-
max time kernel
30s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-06-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
test_redeemer.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
test_redeemer.exe
Resource
win10v20210410
General
-
Target
test_redeemer.exe
-
Size
1.8MB
-
MD5
e37a0ece30267233f1dddf3c2300393f
-
SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2
-
SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
-
SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2748 svchost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\Pictures\ConvertFromGroup.raw.redeem svchost.exe File created C:\Users\Admin\Pictures\NewMount.raw.redeem svchost.exe File created C:\Users\Admin\Pictures\OptimizeUse.tiff.redeem svchost.exe File created C:\Users\Admin\Pictures\StepSet.raw.redeem svchost.exe File created C:\Users\Admin\Pictures\UnpublishInstall.png.redeem svchost.exe File created C:\Users\Admin\Pictures\WaitProtect.crw.redeem svchost.exe File opened for modification C:\Users\Admin\Pictures\OptimizeUse.tiff svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
test_redeemer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation test_redeemer.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2748 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2180 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
test_redeemer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance test_redeemer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exesvchost.exedescription pid process Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe Token: SeSecurityPrivilege 3400 wevtutil.exe Token: SeBackupPrivilege 3400 wevtutil.exe Token: SeSecurityPrivilege 852 wevtutil.exe Token: SeBackupPrivilege 852 wevtutil.exe Token: SeSecurityPrivilege 2780 wevtutil.exe Token: SeBackupPrivilege 2780 wevtutil.exe Token: SeSecurityPrivilege 8 wevtutil.exe Token: SeBackupPrivilege 8 wevtutil.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe Token: SeTakeOwnershipPrivilege 2748 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
test_redeemer.exesvchost.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2208 wrote to memory of 2748 2208 test_redeemer.exe svchost.exe PID 2208 wrote to memory of 2748 2208 test_redeemer.exe svchost.exe PID 2208 wrote to memory of 2748 2208 test_redeemer.exe svchost.exe PID 2748 wrote to memory of 2820 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 2820 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 2820 2748 svchost.exe cmd.exe PID 2820 wrote to memory of 2180 2820 cmd.exe vssadmin.exe PID 2820 wrote to memory of 2180 2820 cmd.exe vssadmin.exe PID 2820 wrote to memory of 2180 2820 cmd.exe vssadmin.exe PID 2748 wrote to memory of 2208 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 2208 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 2208 2748 svchost.exe cmd.exe PID 2208 wrote to memory of 3400 2208 cmd.exe wevtutil.exe PID 2208 wrote to memory of 3400 2208 cmd.exe wevtutil.exe PID 2208 wrote to memory of 3400 2208 cmd.exe wevtutil.exe PID 2748 wrote to memory of 3672 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 3672 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 3672 2748 svchost.exe cmd.exe PID 3672 wrote to memory of 852 3672 cmd.exe wevtutil.exe PID 3672 wrote to memory of 852 3672 cmd.exe wevtutil.exe PID 3672 wrote to memory of 852 3672 cmd.exe wevtutil.exe PID 2748 wrote to memory of 896 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 896 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 896 2748 svchost.exe cmd.exe PID 896 wrote to memory of 2780 896 cmd.exe wevtutil.exe PID 896 wrote to memory of 2780 896 cmd.exe wevtutil.exe PID 896 wrote to memory of 2780 896 cmd.exe wevtutil.exe PID 2748 wrote to memory of 3836 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 3836 2748 svchost.exe cmd.exe PID 2748 wrote to memory of 3836 2748 svchost.exe cmd.exe PID 3836 wrote to memory of 8 3836 cmd.exe wevtutil.exe PID 3836 wrote to memory of 8 3836 cmd.exe wevtutil.exe PID 3836 wrote to memory of 8 3836 cmd.exe wevtutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe"C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\svchost.exe"C:\Windows\TEMP\svchost.exe" C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Read Me.TXTMD5
8399d77548bbdd4cd8020f27ceba399e
SHA1af1be979ead3fe438fc444030aa03c5b55960329
SHA256c969cd9195baf8f224418f8bdc90ba2b82f9fc02560b6442a5ce98cd7de982a4
SHA51265d00b9e7890ca12adf8e561fc4b9b8064e1fdf683d9909a37177920d11283a72fccfda10dd4dd34d191d19e24098bd0e06ba6b0c42cf134522fbe80aa08ff25
-
C:\Windows\TEMP\svchost.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
C:\Windows\Temp\svchost.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
memory/8-126-0x0000000000000000-mapping.dmp
-
memory/852-122-0x0000000000000000-mapping.dmp
-
memory/896-123-0x0000000000000000-mapping.dmp
-
memory/2180-118-0x0000000000000000-mapping.dmp
-
memory/2208-119-0x0000000000000000-mapping.dmp
-
memory/2748-114-0x0000000000000000-mapping.dmp
-
memory/2780-124-0x0000000000000000-mapping.dmp
-
memory/2820-117-0x0000000000000000-mapping.dmp
-
memory/3400-120-0x0000000000000000-mapping.dmp
-
memory/3672-121-0x0000000000000000-mapping.dmp
-
memory/3836-125-0x0000000000000000-mapping.dmp