bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

Analysis

max time kernel
30s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
19/06/2021, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test_redeemer.exe
Size

1.8MB
MD5

e37a0ece30267233f1dddf3c2300393f
SHA1

27610367c41c1b8d3a26885b40fd7aac748189b2
SHA256

bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512

a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2748	svchost.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ConvertFromGroup.raw.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\NewMount.raw.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\OptimizeUse.tiff.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\StepSet.raw.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\UnpublishInstall.png.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\WaitProtect.crw.redeem	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeUse.tiff	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	test_redeemer.exe

Deletes itself 1 IoCs

pid	Process
2748	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2180	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	test_redeemer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeSecurityPrivilege	3400	wevtutil.exe
Token: SeBackupPrivilege	3400	wevtutil.exe
Token: SeSecurityPrivilege	852	wevtutil.exe
Token: SeBackupPrivilege	852	wevtutil.exe
Token: SeSecurityPrivilege	2780	wevtutil.exe
Token: SeBackupPrivilege	2780	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2748	2208	test_redeemer.exe	77
PID 2208 wrote to memory of 2748	2208	test_redeemer.exe	77
PID 2208 wrote to memory of 2748	2208	test_redeemer.exe	77
PID 2748 wrote to memory of 2820	2748	svchost.exe	79
PID 2748 wrote to memory of 2820	2748	svchost.exe	79
PID 2748 wrote to memory of 2820	2748	svchost.exe	79
PID 2820 wrote to memory of 2180	2820	cmd.exe	80
PID 2820 wrote to memory of 2180	2820	cmd.exe	80
PID 2820 wrote to memory of 2180	2820	cmd.exe	80
PID 2748 wrote to memory of 2208	2748	svchost.exe	82
PID 2748 wrote to memory of 2208	2748	svchost.exe	82
PID 2748 wrote to memory of 2208	2748	svchost.exe	82
PID 2208 wrote to memory of 3400	2208	cmd.exe	83
PID 2208 wrote to memory of 3400	2208	cmd.exe	83
PID 2208 wrote to memory of 3400	2208	cmd.exe	83
PID 2748 wrote to memory of 3672	2748	svchost.exe	84
PID 2748 wrote to memory of 3672	2748	svchost.exe	84
PID 2748 wrote to memory of 3672	2748	svchost.exe	84
PID 3672 wrote to memory of 852	3672	cmd.exe	85
PID 3672 wrote to memory of 852	3672	cmd.exe	85
PID 3672 wrote to memory of 852	3672	cmd.exe	85
PID 2748 wrote to memory of 896	2748	svchost.exe	86
PID 2748 wrote to memory of 896	2748	svchost.exe	86
PID 2748 wrote to memory of 896	2748	svchost.exe	86
PID 896 wrote to memory of 2780	896	cmd.exe	87
PID 896 wrote to memory of 2780	896	cmd.exe	87
PID 896 wrote to memory of 2780	896	cmd.exe	87
PID 2748 wrote to memory of 3836	2748	svchost.exe	88
PID 2748 wrote to memory of 3836	2748	svchost.exe	88
PID 2748 wrote to memory of 3836	2748	svchost.exe	88
PID 3836 wrote to memory of 8	3836	cmd.exe	89
PID 3836 wrote to memory of 8	3836	cmd.exe	89
PID 3836 wrote to memory of 8	3836	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe
"C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\TEMP\svchost.exe
  "C:\Windows\TEMP\svchost.exe" C:\Users\Admin\AppData\Local\Temp\test_redeemer.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Application
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Security
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Setup
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log System
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads