Overview

overview

10

Static

static

sqlservr.exe

windows7_x64

10

sqlservr.exe

windows10_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-09-2021 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqlservr.exe

  • Size

    1.8MB

  • MD5

    e1338c42da2d2363afbbd0eeabad1ca9

  • SHA1

    fe5d669b732c9227bb25787083906f49b732c335

  • SHA256

    61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

  • SHA512

    bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note
8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 02 XMR. -2. Contact helpdecryptmyfiles@yandex.com and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- NDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG m2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p D4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw 0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T Yr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R A/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly 6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G 6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0 U7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9 YLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL ToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg uEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr CJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84 GhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.
Emails

helpdecryptmyfiles@yandex.com

Signatures

  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 16 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 7 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\ProgramData__\taskmgr.exe
      "C:\Windows\ProgramData__\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Deletes itself
      • Drops desktop.ini file(s)
      • Modifies WinLogon
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Application
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Security
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Setup
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log System
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log System
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1412
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
        3⤵
          PID:1364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
          3⤵
            PID:1376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
            3⤵
            • Modifies registry class
            PID:1628
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
            3⤵
            • Modifies registry class
            PID:316
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Windows\ProgramData__\rem.bat" "
            3⤵
              PID:1608
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /All /Quiet
                4⤵
                • Interacts with shadow copies
                PID:1164
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil clear-log Application
                4⤵
                  PID:1636
                • C:\Windows\SysWOW64\wevtutil.exe
                  wevtutil clear-log Security
                  4⤵
                    PID:784
                  • C:\Windows\SysWOW64\wevtutil.exe
                    wevtutil clear-log Setup
                    4⤵
                      PID:1092
                    • C:\Windows\SysWOW64\wevtutil.exe
                      wevtutil clear-log System
                      4⤵
                        PID:1740
                      • C:\Windows\SysWOW64\PING.EXE
                        ping -n 5 127.0.0.1
                        4⤵
                        • Runs ping.exe
                        PID:1412
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:568
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1456
                  • C:\Windows\system32\msg.exe
                    msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
                    2⤵
                      PID:1640
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT
                    1⤵
                      PID:828
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      1⤵
                        PID:1764
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:576
                        • C:\Windows\system32\msg.exe
                          msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
                          2⤵
                            PID:1596
                        • C:\Windows\system32\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT
                          1⤵
                            PID:1612

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Winlogon Helper DLL

                          1
                          T1004

                          Privilege Escalation

                          Defense Evasion

                          Indicator Removal on Host

                          1
                          T1070

                          File Deletion

                          2
                          T1107

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Credentials in Files

                          1
                          T1081

                          Discovery

                          System Information Discovery

                          1
                          T1082

                          Remote System Discovery

                          1
                          T1018

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Inhibit System Recovery

                          2
                          T1490

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\Desktop\Read Me.TXT
                            MD5

                            d09a32bc5fc4af6f1551a43979e91dc4

                            SHA1

                            54fbfd017467fc07e256e4178ead93335f8235a5

                            SHA256

                            ce64c3d02d74c28bba52f7feee05236c11064e64f2a44a4d03b02f7c6e7a4bd4

                            SHA512

                            45f75091380a17260a0d0eca73943432a41de756fbeb5a68e3f82f4010fce32c43f153e2f77c53e19fd3d20d63a622a15d7853928154ee106e740ee44814702a

                            Download Submit
                          • C:\Windows\ProgramData__\rem.bat
                            MD5

                            53fab9da99799401986ad696370e63fa

                            SHA1

                            c9aa68df133d393a9de0edc933ccd27e0c66e4b1

                            SHA256

                            cf58baf666d762256b17bcc8274f02af598ecb7daa827e8725a3f47c09bf2824

                            SHA512

                            4fd246f6148a6a0c07ec09a90df5f6d340471cbe6dba7995cc64df1488b62147bb57ef424c5824e425275859235a1b247d582a51b4e586c50ff6d9c6c1bf973d

                            Download Submit
                          • C:\Windows\ProgramData__\taskmgr.exe
                            MD5

                            e1338c42da2d2363afbbd0eeabad1ca9

                            SHA1

                            fe5d669b732c9227bb25787083906f49b732c335

                            SHA256

                            61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

                            SHA512

                            bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

                            Download Submit
                          • \Windows\ProgramData__\taskmgr.exe
                            MD5

                            e1338c42da2d2363afbbd0eeabad1ca9

                            SHA1

                            fe5d669b732c9227bb25787083906f49b732c335

                            SHA256

                            61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

                            SHA512

                            bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

                            Download Submit
                          • memory/268-65-0x0000000000000000-mapping.dmp
                            Download
                          • memory/316-78-0x0000000000000000-mapping.dmp
                            Download
                          • memory/524-66-0x0000000000000000-mapping.dmp
                            Download
                          • memory/784-90-0x0000000000000000-mapping.dmp
                            Download
                          • memory/828-81-0x000007FEFB631000-0x000007FEFB633000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1068-60-0x0000000075801000-0x0000000075803000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1092-91-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1164-88-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1364-75-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1376-76-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1412-74-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1412-93-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1460-73-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1596-84-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1608-86-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1628-77-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1636-89-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1640-80-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1680-72-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1708-71-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1712-68-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1716-69-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1740-92-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1764-70-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1832-62-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1852-67-0x0000000000000000-mapping.dmp
                            Download